Home >

Utilities Reference Guide > Certificate Management Utility (CMU) > cmu generatekeypair

cmu generatekeypair

This function generates an asymmetric key pair on the token or HSM. An optional input filename can be used to specify a file from which mandatory and optional attributes are to be read.

For DSA key generation, the domain parameters (Prime, Subprime, and Base) are required, and must be provided either as part of the command, or as responses to interactive prompting. If one is provided at the command line, then all three must be provided in that manner. If none are provided at the command line, then all three are prompted for interactive entry.

You may not provide only one or two of the parameters at the command line. Providing just one or two domain parameters is considered an error, and the command halts with an error message.

Syntax

cmu generatekeypair <parameters>

Required Parameters

Parameter Description
-modulusBits

This mandatory parameter defines the length in bits of the modulus value for the generation of RSA key pairs. It must be set to a value between 1024 and 4096 that is a multiple of 64 bits.
If the HSM policy 12 "Allow non-FIPS algorithms" is set to "No", then RSA key size is limited to 2048 bits or 3072 bits.
-publicExponent

 This mandatory parameter defines the public exponent value to use in the generation of RSA key pairs. It must be set to a value of 3, 17 or 65537.

Optional Parameters

Parameter Description
-binary

This is an optional parameter that defines the exported certificate format to be raw binary instead of the default PEM (base64) encoding.
-inputFile  This optional parameter defines the name of a file from which to obtain additional parameter settings, one per line, of the form name=value.
-keyType

 This optional parameter defines the type of asymmetric keys to generate. This parameter is not required if the key type can be established by the presence of other parameters. (e.g. If modulusBits and/or publicExponent parameters are present, then -keyType=RSA is redundant). Currently, only RSA key pairs are supported.
-label

 This optional parameter defines a label to be applied to both of the newly generated keys. If a multiple word label is required, the label value must be enclosed within quotation marks.
-labelPublic

 This optional parameter defines a label to apply to the public key from the newly generated key pair.
-labelPrivate

 This optional parameter defines a label to apply to the private key from the newly generated key pair.
-modifiable

 This optional parameter defines the modifiable setting for each of the keys in the key pair. It must be set to True or False (or 1 or 0).
-id

 This optional parameter defines the Id field for the newly generated keys. It must be set to a big-endian hexadecimal integer value.
-startDate

 This optional parameter defines the startDate field for the newly generated keys. The format for the value is YYYYMMDD.
-endDate

 This optional parameter defines the endDate field for the newly generated keys. The format for the value is YYYYMMDD.
-subject

 This optional parameter defines the subject field for the newly generated keys. It must be set to a big-endian hexadecimal integer value. The subject field is typically set to the DER encoding of the subject distinguished name for the key.
-encrypt

 This optional parameter defines the encrypt setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the decrypt setting for the private key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if encrypt is set True, then wrap and verify need to be False.

-decrypt

 This optional parameter defines the decrypt setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the encrypt setting for the public key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if decrypt is set True, then unwrap and sign need to be False.
-sign

 This optional parameter defines the sign setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the verify setting for the public key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if sign is set True, then unwrap and decrypt need to be False.
-verify

 This optional parameter defines the verify setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the sign setting for the private key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if verify is set True, then encrypt and wrap need to be False.
-wrap

 This optional parameter defines the wrap setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the unwrap setting for the private key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if wrap is set True, then encrypt and verify need to be False.
-unwrap

 This optional parameter defines the unwrap setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the wrap setting for the public key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if unwrap is set True, then decrypt and sign need to be False.

-extractable

This optional parameter defines the extractable setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default.
-curvetype

This optional parameter defines the name of a curve type for ECDSA keys. Enter values 1-5 (1-NISTP 192 / 2-NISTP 224 / 3-NISTP 256 / 4-NISTP 384 / 5-NISTP 521).
-prime

This optional parameter defines a prime length for DSA key generation.
-subprime

This optional parameter defines a subprime bits length for DSA key generation.
-base

This optional parameter defines a base length for DSA key generation.

Example

RSA

C:\Program Files\SafeNet\LunaClient>cmu gen -modulusBits=2048 -publicExp=65537 -sign=T -verify=T 
Select token
[1] Token Label: myPartition1
[2] Token Label: myPartition1
Enter choice: 2
Please enter password for token in slot 2 : *******************
C:\Program Files\SafeNet\LunaClient>cmu list
Select token
[1] Token Label: myPartition1
[2] Token Label: myPartition1
Enter choice: 2
Please enter password for token in slot 2 : *******************
handle=14       label=NewPublicVerifyingKey
handle=15       label=NewPrivateSigningKey
C:\Program Files\SafeNet\LunaClient>

DSA - Domain Parameters at Command Line 

cmu generatekeypair -keytype DSA -slot 6 
  -prime 0xfcec6182eb2<...too long to reproduce...>fe00d0204c3 
   -subprime 0xd3807350xd3807<...long string...>cedc61 
    -base 0x42e37<...too long to reproduce...>22c3b1205e

DSA - Domain Parameters Entered Interactively 

cmu generatekeypair -keytype DSA -slot 6 
The prime, subprime and base values must be entered as a HEX byte array. 
For example, to enter a 1024-bit prime value, enter a 128-byte HEX byte array using 
this format: 0xa0383ee692f8... 
 The prime value can be a 1024-bit, 2048-bit or 3072-bit value. 
Enter a prime value: 0xfcec6182eb2<...too long to reproduce...>fe00d0204c3 
Enter a 160 bit subprime value: 0xd3807<...long string...>cedc61 
Enter a 1024-bit base value: 0x42e37<...too long to reproduce...>22c3b1205e

SafeNet PCIe HSM 6.3 Product Documentation
007-011329-012 Rev. A 14 July 2017 Copyright 2001-2017 Gemalto All rights reserved.