Home >

Utilities Reference Guide > Certificate Management Utility (CMU) > cmu certify

cmu certify

This function creates an X.509 V3 certificate from a PKCS #10 certificate request. The parent certificate and corresponding private key must already exist on the token or HSM. The private key is located on the token using the public key info inside the parent certificate.

Syntax

cmu certify <parameters>

Mandatory Parameters

Parameter Description
-handle=<handle#> This is a mandatory parameter that defines the handle to parent certificate. If this parameter is omitted and there is only one certificate on the HSM, that certificate is automatically selected. If this parameter is omitted and there are multiple certificates on the HSM, the user is asked to select the certificate.
-inputfile

This parameter defines the name of the file that contains the PKCS #10 certificate request.

-startDate This parameter defines the validity start of the certificate, in the format YYYYMMDD.
-endDate This parameter defines the validity end of the certificate, in the format YYYYMMDD.
-serialNumber

This parameter defines the serial number of the certificate, in big-endian hexadecimal form.

Optional Parameters

Parameter Description
-keyusage This is an optional parameter that defines the key usage extension for the certificate. It can be set to any of the following: digitalsignature, nonrepudiation, keyencipherment, dataencipherment, keyagreement, keycertsign, crlsign, encipheronly, decipheronly. This parameter may appear more than once in the parameter set to define multiple usages, or it can be used once with a comma separated list of usage types.
-md5WithRsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-MD5withRSAEncryption. The default is to use sha1WithRsa.
-sha1WithRsa  This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa.
-label

This is an optional parameter that defines the label attribute for the certificate object that gets created on the HSM. If omitted, the common name of the subject DN is used instead.

-sha224withrsa

This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA224withRSAEncryption. The default is to use sha1WithRsa.

-sha256withrsa

This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA256withRSAEncryption. The default is to use sha1WithRsa.

-sha384withrsa

This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA384withRSAEncryption. The default is to use sha1WithRsa.

-sha512withrsa

This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA512withRSAEncryption. The default is to use sha1WithRsa.

-sha1withdsa

This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA1withDSAEncryption. The default is to use sha1WithRsa.

-sha1withecdsa

This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA1withECDSAEncryption. The default is to use sha1WithRsa.

- sha224withecdsa

This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA224withECDSAEncryption. The default is to use sha1WithRsa.

-sha256withecdsa

This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA256withECDSAEncryption. The default is to use sha1WithRsa.

-sha384withecdsa

This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA384withECDSAEncryption. The default is to use sha1WithRsa.

- sha512withecdsa

This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA512withECDSAEncryption. The default is to use sha1WithRsa.

-id This optional parameter defines the CKA_ID attribute for the certificate object that gets created on the HSM. If omitted, the CKA_ID attribute of the private key is used instead.
-certificatepolicy This optional parameter defines the certificate policy to be used.
-keyids

This optional parameter indicates to use a subject key identifier from the parent. Set to True or False (or 1 or 0).

Example

cmu certify -input=testCert.req -h=8
 

- create and sign a new certificate using certificate 8 as the parent.