Generate PKCS #10 certificate request
This article describes the syntax for how to generate a PKCS #10 certificate request. The hwsetup command line tool, included in Nexus Certificate Manager (CM), is used.
Syntax
Syntax: Generate PKCS #10 certificate request
hwsetup -libname <pkcs11lib> [-slot <slot#>] [-pin <PIN>] [-nopinpad]
[-id <CKA_ID>] [-label <CKA_LABEL>] [-login user|so]
-genreq <subject DN>] [-file <filename>] [-keyalg <algorithm>]
[-keyusage [<names>]] [-signalg <algorithm>]
Options and arguments
For a description of the options libname
, slot
, pin
, nopinpad
, and login
and their arguments, see Generate DSA/EC/RSA key pair.
Options and Arguments | Description |
---|---|
genreq <subject DN> | Use this option to create a request for issue of a certificate. Replace <subject DN> with the subject distinguished name in RFC2253 format, for the certificate. Use either the id or label option to specify the key pair for the certificate request. |
id <CKA_ID> | Use the key pair with the specified CKA_ID value. |
label <CKA_LABEL> | Use the key pair with the specified CKA_LABEL value. |
file <filename> | Use this option to specify the file the request shall be written to. Default: certreq.txt |
keyalg <algorithm> | Use this option to specify an OAEP or PSS algorithm for an RSA public key. For example, RSAES-OAEP, RSASSA-PSS or SHA256withRSAandMGF1. Default: RSA |
keyusage [<names>] | Use this option to create a KeyUsage extension in the certificate request. If any <names> are not specified, the operation attributes of the public key are used to create the extension. The following, comma separated, names can be used: digitalSignature , nonRepudiation , keyEncipherment , dataEncipherment , keyAgreement , encipherOnly , decipherOnly . Default: extension not created |
signalg <algorithm> | Use this option to specify the signature algorithm, for example, SHA384withECDSA or SHA256withRSAandMGF1. Default: SHA256withDSA, -ECDSA, -RSA |
Example
To generate a PKCS #10 certificate request and store it in the file certreq.txt:
Example: Generate PKCS #10 certificate request and store in file certreq.txt
hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genreq "cn=Test, o=Nexus"
Send certreq.txt to the CA so that the certificate can be issued.