Home >

Utilities Reference Guide > Certificate Management Utility (CMU) > cmu generatekeypair

cmu generatekeypair

This function generates an asymmetric key pair on the token or HSM. An optional input filename can be used to specify a file from which mandatory and optional attributes are to be read.

For DSA key generation, the domain parameters (Prime, Subprime, and Base) are required, and must be provided either as part of the command, or as responses to interactive prompting. If one is provided at the command line, then all three must be provided in that manner. If none are provided at the command line, then all three are prompted for interactive entry.

You may not provide only one or two of the parameters at the command line. Providing just one or two domain parameters is considered an error, and the command halts with an error message.

Syntax

cmu generatekeypair <parameters>

Required Parameters

Parameter Description
-modulusBits

This mandatory parameter defines the length in bits of the modulus value for the generation of RSA key pairs. It must be set to a value between 1024 and 4096 that is a multiple of 64 bits.
If the HSM policy 12 "Allow non-FIPS algorithms" is set to "No", then RSA key size is limited to 2048 bits or 3072 bits.

-publicExponent

 This mandatory parameter defines the public exponent value to use in the generation of RSA key pairs. It must be set to a value of 3, 17 or 65537.

Optional Parameters

Parameter Description
-binary

This is an optional parameter that defines the exported certificate format to be raw binary instead of the default PEM (base64) encoding.

-inputFile  This optional parameter defines the name of a file from which to obtain additional parameter settings, one per line, of the form name=value.
-keyType

 This optional parameter defines the type of asymmetric keys to generate. This parameter is not required if the key type can be established by the presence of other parameters. (e.g. If modulusBits and/or publicExponent parameters are present, then -keyType=RSA is redundant). Currently, only RSA key pairs are supported.

-label

 This optional parameter defines a label to be applied to both of the newly generated keys. If a multiple word label is required, the label value must be enclosed within quotation marks.

-labelPublic

 This optional parameter defines a label to apply to the public key from the newly generated key pair.

-labelPrivate

 This optional parameter defines a label to apply to the private key from the newly generated key pair.

-modifiable

 This optional parameter defines the modifiable setting for each of the keys in the key pair. It must be set to True or False (or 1 or 0).

-id

 This optional parameter defines the Id field for the newly generated keys. It must be set to a big-endian hexadecimal integer value.

-startDate

 This optional parameter defines the startDate field for the newly generated keys. The format for the value is YYYYMMDD.

-endDate

 This optional parameter defines the endDate field for the newly generated keys. The format for the value is YYYYMMDD.

-subject

 This optional parameter defines the subject field for the newly generated keys. It must be set to a big-endian hexadecimal integer value. The subject field is typically set to the DER encoding of the subject distinguished name for the key.

-encrypt

 This optional parameter defines the encrypt setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the decrypt setting for the private key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if encrypt is set True, then wrap and verify need to be False.

-decrypt

 This optional parameter defines the decrypt setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the encrypt setting for the public key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if decrypt is set True, then unwrap and sign need to be False.

-sign

 This optional parameter defines the sign setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the verify setting for the public key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if sign is set True, then unwrap and decrypt need to be False.

-verify

 This optional parameter defines the verify setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the sign setting for the private key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if verify is set True, then encrypt and wrap need to be False.

-wrap

 This optional parameter defines the wrap setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the unwrap setting for the private key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if wrap is set True, then encrypt and verify need to be False.

-unwrap

 This optional parameter defines the unwrap setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the wrap setting for the public key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if unwrap is set True, then decrypt and sign need to be False.

-extractable

This optional parameter defines the extractable setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default.

-curvetype

This optional parameter defines the name of a curve type for ECDSA keys. Enter values 1-5 (1-NISTP 192 / 2-NISTP 224 / 3-NISTP 256 / 4-NISTP 384 / 5-NISTP 521).

-prime

This optional parameter defines a prime length for DSA key generation.

-subprime

This optional parameter defines a subprime bits length for DSA key generation.

-base

This optional parameter defines a base length for DSA key generation.

Example

RSA

C:\Program Files\SafeNet\LunaClient>cmu gen -modulusBits=2048 -publicExp=65537 -sign=T -verify=T 
Select token
[1] Token Label: myPartition1
[2] Token Label: myPartition1
Enter choice: 2
Please enter password for token in slot 2 : *******************
C:\Program Files\SafeNet\LunaClient>cmu list
Select token
[1] Token Label: myPartition1
[2] Token Label: myPartition1
Enter choice: 2
Please enter password for token in slot 2 : *******************
handle=14       label=NewPublicVerifyingKey
handle=15       label=NewPrivateSigningKey
C:\Program Files\SafeNet\LunaClient>

DSA - Domain Parameters at Command Line

cmu generatekeypair -keytype DSA -slot 6 -prime 0xfcec6182eb206b43c03e36c0eadabff56a0c2e79def44bc8f2e53699096d1ff270f159785d756921dbff9773ae08483b662fc07df7512ff68b2e5565fd7982e20c244832aba121cc0799cc09f2d5414d5f3966211365f51b83e9ffcccb3d88cdf238f7c2739131ca7aadff662fec1fb0e1d311a404260376fd011fe00d0204c3 -subprime 0xd3807353b51c5f71b22ac3d0c7e394148fcedc61 -base 0x42e3778e6ec31b0db07a6b370d7fb6fb4a0bca6deaac371f6adbcbeba38ddf76a47c3c3d79276a0e579ce4e347180fd9b4ad461d6cf0eac51fb08cf452f624570051e518a75a5bb9c3578a14fd4f27f795b22acea62b1fdf1032c1266da081c7fb99c4266626587093fd381617238ee1578fc325548dc1c08e5f9322c3b1205e

DSA - Domain Parameters Entered Interactively

cmu generatekeypair -keytype DSA -slot 6 
The prime, subprime and base values must be entered as a HEX byte array.
For example, to enter a 1024-bit prime value, enter a 128-byte HEX byte array using this format: 0xa0383ee692f8...
 The prime value can be a 1024-bit, 2048-bit or 3072-bit value. 
Enter a prime value: 0xfcec6182eb206b43c03e36c0eadabff56a0c2e79def44bc8f2e53699096d1ff270f159785d7 56921dbff9773ae08483b662fc07df7512ff68b2e5565fd7982e20c244832aba121cc0799cc09f2d5414d5f3966211365f 51b83e9ffcccb3d88cdf238f7c2739131ca7aadff662fec1fb0e1d311a404260376fd011fe00d0204c3
Enter a 160 bit subprime value: 0xd3807353b51c5f71b22ac3d0c7e394148fcedc61
Enter a 1024-bit base value: 0x42e3778e6ec31b0db07a6b370d7fb6fb4a0bca6deaac371f6adbcbeba38ddf76a47 c3c3d79276a0e579ce4e347180fd9b4ad461d6cf0eac51fb08cf452f624570051e518a75a5bb9c3578a14fd4f27f795b22 acea62b1fdf1032c1266da081c7fb99c4266626587093fd381617238ee1578fc325548dc1c08e5f9322c3b1205e