cmu certify

This function creates an X.509 V3 certificate from a PKCS #10 certificate request. The parent certificate and corresponding private key must already exist on the token or HSM. The private key is located on the token using the public key information inside the parent certificate.

Syntax

cmu certify -handle=<handle#> -inputfile=<filename> -startDate=<YYYYMMDD> -endDate=<YYYYMMDD> [-label=<label>] [-id=<CKA_ID>] [-certificatepolicy=<policy>] [-private=<T/F>] [-keyids=<value>] [-binary] [-keyusage=<extension(s)>] [-md5WithRsa] [-sha1WithRsa] [-sha224withrsa] [-sha256withrsa] [-sha384withrsa] [-sha512withrsa] [-sha1withdsa] [-sha1withecdsa] [-sha224withecdsa] [-sha256withecdsa] [-sha384withecdsa] [-sha512withecdsa] [-basicconstraints=<constraints>] [-certdelete=<handle#>] [-outputfile=<filename>] [-parentlabel=<label>] [-password=<password>] [-ped=<PED_ID>] [-slot=<slot#>]

Argument(s) Description
-basicconstraints =<critical,optional,ca:true,ca:false,pathlen:[value < 127] >

Defines constraints applied to the certificate. Can include one or more in a comma-delimited list.

-binary

Defines the created certificate format to be raw binary instead of the default PEM (base64) encoding.

-certdelete=<handle#> Specifies that the identified certificate (handle#) is to be deleted upon command completion (equivalent to running the cmu delete command separately).
-certificatepolicy=<policy> Defines the certificate policy to be used.
-endDate=<YYYYMMDD> Defines the validity end of the certificate, in the format YYYYMMDD.
-extendedkeyusage =<critical,optional,clientauth,serverauth,codesigning,
emailprotection,timestamping,ocspsigningD>
Defines the permitted additional usage of the key. Can include one or more in a comma-delimited list.
-handle=<handle#> Defines the handle to parent certificate. If this parameter is omitted and there is only one certificate on the HSM, that certificate is automatically selected. If this parameter is omitted and there are multiple certificates on the HSM, the user is prompted to select the certificate.
-id=<CKA_ID> Defines the CKA_ID attribute for the certificate object that gets created on the HSM. If omitted, the CKA_ID attribute of the private key is used instead.
-inputfile=<filename>

Defines the name of the file that contains the PKCS #10 certificate request.

-keyids=<value>

Indicates to use a subject key identifier from the parent.

Valid values: 1,0 (True or False)

-keyusage=<extension(s)>

Defines the key usage extension for the certificate. This parameter may appear more than once in the parameter set, to define multiple usages, or it can be used once with a comma-separated list of usage types.

Valid values: digitalsignature,nonrepudiation,keyencipherment,dataencipherment,keyagreement,keycertsign,crlsign,encipheronly,decipheronly

-label=<label>

Defines the label attribute for the certificate object that gets created on the HSM. If omitted, the common name of the subject DN is used instead.

-md5WithRsa Defines the signature algorithm for the certificate to be pkcs-1-MD5withRSAEncryption. The default is to use sha1WithRsa.
-outputfile=<filename>

Defines the filename for the certificate to be created.

-parentlabel=<label>

Specifies the label attribute for the certificate or key object that is to be used as the parent for the new certificate.

-private=<T/F>

Defines whether a certificate is created in the private space (default is F). Set -private=T to require authentication before applications can use the certificate.

-serialNumber=<hex_SN>

Defines the serial number of the certificate, in big-endian hexadecimal form.

-sha1withdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA1withDSAEncryption. The default is to use sha1WithRsa.

-sha1withecdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA1withECDSAEncryption. The default is to use sha1WithRsa.

-sha1WithRsa  Defines the signature algorithm for the certificate to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa.
-sha224withecdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA224withECDSAEncryption. The default is to use sha1WithRsa.

-sha224withrsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA224withRSAEncryption. The default is to use sha1WithRsa.

-sha256withecdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA256withECDSAEncryption. The default is to use sha1WithRsa.

-sha256withrsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA256withRSAEncryption. The default is to use sha1WithRsa.

-sha384withecdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA384withECDSAEncryption. The default is to use sha1WithRsa.

-sha384withrsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA384withRSAEncryption. The default is to use sha1WithRsa.

-sha512withecdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA512withECDSAEncryption. The default is to use sha1WithRsa.

-sha512withrsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA512withRSAEncryption. The default is to use sha1WithRsa.

-startDate=<YYYYMMDD> Defines the validity start of the certificate, in the format YYYYMMDD.
Common
-password=<password> The password for the role accessing the current slot, with the current command.  If this is not specified, it is prompted.  
-ped=<PED_ID> Specifies the PED ID for the registered Remote PED that will handle authentication for the current slot, with the current command. You must specify this parameter to use Remote PED authentication.
-slot=<slot#> The slot to be acted upon, by the current command.  If this is not specified, it is prompted.  

Example

cmu certify -input=testCert.req -h=8

Create and sign a new certificate using certificate 8 as the parent.