Generate DSA/EC/RSA key pair
This article describes the syntax for how to generate a DSA/EC/RSA key pair used when setting up a hardware token. The hwsetup command line tool, included in Smart ID Certificate Manager (CM), is used.
Syntax
Syntax: Generate DSA/EC/RSA key pair
hwsetup -libname <pkcs11lib> [-slot <slot#>] [-pin <PIN>] [-nopinpad]
[-id <CKA_ID>|-noid] [-label <CKA_LABEL>] [-login user|so] [-extractable] [-force]
[-gendsa <key length>[:<subprime length>]]
[-genec <named curve>] [-derive] [-sign]
[-genrsa <key length>] [-exponent <#>] [-decrypt] [-sign] [-unwrap]
Options and arguments
Options and Arguments | Description |
---|---|
libname <pkcs11lib> | Use this option to identify the library to work with. Replace Note: Do not include the extension in the filename. |
slot <slot#> | Use this option to specify the slot number to use. Replace |
pin <PIN> | Use this option to enter the PIN for the slot. Replace |
id <CKA_ID> | Use this option to specify the CKA_ID attribute for the key pair. This id is used to associate keys with certificate requests and certificates. Default: A generated id. |
noid | Do not generate any CKA_ID. |
label <CKA_LABEL> | Use this option to specify the |
login user | so | Use this option to select how to login. so stands for “security officer”. Default: user |
gendsa <key length>[:<subprime length>] | Use this option to generate a DSA key pair. Replace <key length> with the DSA key and optional subprime lengths. Set subprime to :256 to use SHA-256 signatures. Default: 1024:160 |
genec <curve name> | Use this option to generate an EC key pair. Replace <curve name> with the OID or name of the desired EC curve. Sets the CKA_SIGN / CKA_VERIFY attributes if not any of the derive or sign options are set. Default: brainpoolP256r1 |
genrsa <key length> | Use this option to generate an RSA key pair. Replace |
exponent <#> | Use this option to specify the RSA public key exponent. Default: 0x10001 |
decrypt | Sets the CKA_ENCRYPT and CKA_DECRYPT attributes for the generated RSA key pair. Default: Not flagged. |
derive | Sets the CKA_DERIVE attribute for the generated EC key pair. Default: Not flagged. |
sign | Sets the CKA_SIGN and CKA_VERIFY attributes for the generated EC/RSA key pair. Default: Not flagged. |
unwrap | Sets the CKA_WRAP and CKA_UNWRAP attributes for the generated RSA key pair. Default: Not flagged. |
extractable | Sets the attributes CKA_EXTRACTABLE =true and CKA_SENSITIVE =false for a private key. This is not possible for if HSM in FIPS mode (FIPS 140-2 level 3). Default: CKA_EXTRACTABLE =false and CKA_SENSITIVE =true. |
force | Use this option if you want the utility to replace an existing key with the same ID. Default: Not flagged. |
nopinpad | If set, |
Example
To generate an RSA key pair with the key length 2048 bits:
Example: Generate RSA key pair with key length 2048 bits
hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genrsa 2048