Skip to main content
Skip table of contents

Generate PKCS #10 certificate request

This article is valid from CM 8.0.

This article describes the syntax for how to generate a PKCS #10 certificate request. The hwsetup command line tool, included in Nexus Certificate Manager (CM), is used.


Syntax: Generate PKCS #10 certificate request

hwsetup -libname <pkcs11lib> [-slot <slot#>] [-pin <PIN>] [-nopinpad]
[-id <CKA_ID>] [-label <CKA_LABEL>] [-login user|so]
-genreq <subject DN>] [-file <filename>] [-keyalg <algorithm>]
[-keyusage [<names>]] [-signalg <algorithm>]

Options and arguments

For a description of the options libnameslotpin, nopinpad, and login and their arguments, see Generate DSA/EC/RSA key pair.

Options and ArgumentsDescription
genreq <subject DN> Use this option to create a request for issue of a certificate. Replace <subject DN> with the subject distinguished name in RFC2253 format, for the certificate. Use either the id or label option to specify the key pair for the certificate request.
id <CKA_ID>Use the key pair with the specified CKA_ID value.
label <CKA_LABEL>Use the key pair with the specified CKA_LABEL value.
file <filename> Use this option to specify the file the request shall be written to. Default: certreq.txt
keyalg <algorithm>Use this option to specify an OAEP or PSS algorithm for an RSA public key. For example, RSAES-OAEP, RSASSA-PSS or SHA256withRSAandMGF1. Default: RSA
keyusage [<names>]Use this option to create a KeyUsage extension in the certificate request. If any <names> are not specified, the operation attributes of the public key are used to create the extension. The following, comma separated, names can be used: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, decipherOnly. Default: extension not created
signalg <algorithm>Use this option to specify the signature algorithm, for example, SHA384withECDSA or SHA256withRSAandMGF1. Default: SHA256withDSA, -ECDSA, -RSA


To generate a PKCS #10 certificate request and store it in the file certreq.txt:

Example: Generate PKCS #10 certificate request and store in file certreq.txt

hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genreq "cn=Test, o=Nexus"

Send certreq.txt to the CA so that the certificate can be issued.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.