cmu certify
This function creates an X.509 V3 certificate from a PKCS #10 certificate request. The parent certificate and corresponding private key must already exist on the token or HSM. The private key is located on the token using the public key info inside the parent certificate.
Syntax
cmu certify <parameters>
Mandatory Parameters
Parameter | Description |
---|---|
-handle=<handle#> | This is a mandatory parameter that defines the handle to parent certificate. If this parameter is omitted and there is only one certificate on the HSM, that certificate is automatically selected. If this parameter is omitted and there are multiple certificates on the HSM, the user is asked to select the certificate. |
-inputfile |
This parameter defines the name of the file that contains the PKCS #10 certificate request. |
-startDate | This parameter defines the validity start of the certificate, in the format YYYYMMDD. |
-endDate | This parameter defines the validity end of the certificate, in the format YYYYMMDD. |
-serialNumber |
This parameter defines the serial number of the certificate, in big-endian hexadecimal form. |
Optional Parameters
Parameter | Description |
---|---|
-keyusage | This is an optional parameter that defines the key usage extension for the certificate. It can be set to any of the following: digitalsignature, nonrepudiation, keyencipherment, dataencipherment, keyagreement, keycertsign, crlsign, encipheronly, decipheronly. This parameter may appear more than once in the parameter set to define multiple usages, or it can be used once with a comma separated list of usage types. |
-md5WithRsa | This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-MD5withRSAEncryption. The default is to use sha1WithRsa. |
-sha1WithRsa | This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa. |
-label |
This is an optional parameter that defines the label attribute for the certificate object that gets created on the HSM. If omitted, the common name of the subject DN is used instead. |
-sha224withrsa |
This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA224withRSAEncryption. The default is to use sha1WithRsa. |
-sha256withrsa |
This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA256withRSAEncryption. The default is to use sha1WithRsa. |
-sha384withrsa |
This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA384withRSAEncryption. The default is to use sha1WithRsa. |
-sha512withrsa |
This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA512withRSAEncryption. The default is to use sha1WithRsa. |
-sha1withdsa |
This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA1withDSAEncryption. The default is to use sha1WithRsa. |
-sha1withecdsa |
This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA1withECDSAEncryption. The default is to use sha1WithRsa. |
- sha224withecdsa |
This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA224withECDSAEncryption. The default is to use sha1WithRsa. |
-sha256withecdsa |
This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA256withECDSAEncryption. The default is to use sha1WithRsa. |
-sha384withecdsa |
This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA384withECDSAEncryption. The default is to use sha1WithRsa. |
- sha512withecdsa |
This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA512withECDSAEncryption. The default is to use sha1WithRsa. |
-id | This optional parameter defines the CKA_ID attribute for the certificate object that gets created on the HSM. If omitted, the CKA_ID attribute of the private key is used instead. |
-certificatepolicy | This optional parameter defines the certificate policy to be used. |
-keyids |
This optional parameter indicates to use a subject key identifier from the parent. Set to True or False (or 1 or 0). |
Example
cmu certify -input=testCert.req -h=8
Create and sign a new certificate using certificate 8 as the parent.