Generate PKCS #10 certificate request
This article is valid from CM 8.0.
This article describes the syntax for how to generate a PKCS #10 certificate request. The hwsetup command line tool, included in Nexus Certificate Manager (CM), is used.
Syntax
Syntax: Generate PKCS #10 certificate request
TEXT
hwsetup -libname <pkcs11lib> [-slot <slot#>] [-pin <PIN>] [-nopinpad]
[-id <CKA_ID>] [-label <CKA_LABEL>] [-login user|so]
-genreq <subject DN>] [-file <filename>] [-keyalg <algorithm>]
[-keyusage [<names>]] [-signalg <algorithm>]Options and arguments
For a description of the options libname, slot, pin, nopinpad, and login and their arguments, see Generate DSA/EC/RSA key pair.
| Options and Arguments | Description |
|---|---|
| genreq <subject DN> | Use this option to create a request for issue of a certificate. Replace <subject DN> with the subject distinguished name in RFC2253 format, for the certificate. Use either the id or label option to specify the key pair for the certificate request. |
| id <CKA_ID> | Use the key pair with the specified CKA_ID value. |
| label <CKA_LABEL> | Use the key pair with the specified CKA_LABEL value. |
| file <filename> | Use this option to specify the file the request shall be written to. Default: certreq.txt |
| keyalg <algorithm> | Use this option to specify an OAEP or PSS algorithm for an RSA public key. For example, RSAES-OAEP, RSASSA-PSS or SHA256withRSAandMGF1. Default: RSA |
| keyusage [<names>] | Use this option to create a KeyUsage extension in the certificate request. If any <names> are not specified, the operation attributes of the public key are used to create the extension. The following, comma separated, names can be used: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, decipherOnly. Default: extension not created |
| signalg <algorithm> | Use this option to specify the signature algorithm, for example, SHA384withECDSA or SHA256withRSAandMGF1. Default: SHA256withDSA, -ECDSA, -RSA |
Example
To generate a PKCS #10 certificate request and store it in the file certreq.txt:
Example: Generate PKCS #10 certificate request and store in file certreq.txt
TEXT
hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genreq "cn=Test, o=Nexus"Send certreq.txt to the CA so that the certificate can be issued.