Home >

Utilities Reference Guide > Certificate Management Utility (CMU) > cmu importkey

cmu importkey

This function unwraps an RSA, DSA , or ECDSA private key onto the selected token or HSM. The key file may be in any of the following formats:

PKCS #12(PFX) RSA in a DER-encoded format (.pfx file)

PKCS #8(Unencrypted PrivatekeyInfo) in RSA or DSA in base 64 PEM, or binary DER format

PKCS #1 (RSA in base64 PEM, or binary DER) format.

Syntax

cmu importkey <parameters>

Required Parameters

Parameter Description
-in (Filename)

  This parameter defines the full path to the file containing the key to import.

-keyarg(DSA|RSA|ECDSA) Specifies the key's algorithm.

Optional Parameters

Parameter Description
-PKCS8

Indicates that the key to import is formatted according to the PKCS#8 standard.

-PKCS12

Indicates that the key to import is formatted according to the PKCS#12 standard. *Note that only the private key portion is unwrapped onto the token. Any certificates in this file are simply ignored.
It is assumed that you properly export a PKCS #12 key from Windows keystore (or other source, as appropriate).

-wrapkey (handle)

The handle of the existing key that is to be used as the wrapping key. *Note that this key must have the CKA_WRAP attribute set to true. If this flag is not specified the default behaviour is to autogenerate a 3DES key for the sole purpose of unwrapping the key onto the HSM.

-setkeyattr

Allows the user to manually enter the imported key’s attributes. Modifiable key attributes are CKA_DECRYPT, CKA_SIGN, CKA_EXTRACTABLE, and CKA_UNWRAP. The defaults are always 1=true.

Example

cmu importkey -in rawrsa1028.pem –keyalg RSA -wrapkey 11 –setkeyattr
 
cmu importkey –pkcs8 –in pk8privkey.pem –keyalg DSA–keyalg DSA
 
cmu importkey –in rsakey.pem –keyalg RSA –wrapkey 11
 
cmu importkey –in rsakey.pem –keyalg RSA
 
cmu importkey –PKCS12 –in p12.pfx –keyalg RSA

Notes

1.Ideally the private key should be in PKCS#8 format (privatekeyinfo) and not encrypted.
To convert a private key of either RSA or DSA type: (see PKCS#1 for RSA and PKCS#11 (11.9) for DSA) into a PKCS#8 structure, use the following openssl command:
openssl pkcs8 -in key.pem -topk8 –nocrypt -out noenckey.pem

2.In the option to the command, the "PKCS" should be in all uppercase letters, as "cmu importkey -PKCS8" or "cmu importkey -PKCS12".

3. If the PKCS#8 structure is already encrypted according to the PKCS#5-PBE standard, then to import via CMU, use the following command:
openssl pkcs8 -in pk8.pem -out key.pem
*You will be prompted for the password to decrypt the PrivateKeyInfo.

4.You can export the PrivatekeyInfo contents of a .pfx file by using the following openssl command: openssl pkcs12 –in p12.pfx –out pk12_privkey.pem –nocerts –nodes
*You will be prompted for the password to decrypt the PrivateKeyInfo.