cmu certify
This function creates an X.509 V3 certificate from a PKCS #10 certificate request. The parent certificate and corresponding private key must already exist on the token or HSM. The private key is located on the token using the public key information inside the parent certificate.
Syntax
cmu certify -handle=<handle#> -inputfile=<filename> -startDate=<YYYYMMDD> -endDate=<YYYYMMDD> [-label=<label>] [-id=<CKA_ID>] [-certificatepolicy=<policy>] [-keyids=<value>] [-binary] [-keyusage=<extension(s)>] [-md5WithRsa] [-sha1WithRsa] [-sha224withrsa] [-sha256withrsa] [-sha384withrsa] [-sha512withrsa] [-sha1withdsa] [-sha1withecdsa] [-sha224withecdsa] [-sha256withecdsa] [-sha384withecdsa] [-sha512withecdsa] [-basicconstraints=<constraints>] [-certdelete=<handle#>] [-outputfile=<filename>] [-parentlabel=<label>] [-password=<password>] [-slot=<slot#>]
| Argument(s) | Description |
|---|---|
| -basicconstraints= <critical,optional,ca:true,ca:false,pathlen:[value < 127] > |
Defines constraints applied to the certificate. Can include one or more in a comma-delimited list. |
| -binary |
Defines the created certificate format to be raw binary instead of the default PEM (base64) encoding. |
| -certdelete=<handle#> | Specifies that the identified certificate (handle#) is to be deleted upon command completion (equivalent to running the cmu delete command separately). |
| -certificatepolicy=<policy> | Defines the certificate policy to be used. |
| -endDate=<YYYYMMDD> | Defines the validity end of the certificate, in the format YYYYMMDD. |
| -extendedkeyusage= <critical,optional,clientauth,serverauth,codesigning, emailprotection,timestamping,ocspsigningD> |
Defines the permitted additional usage of the key. Can include one or more in a comma-delimited list. |
| -handle=<handle#> | Defines the handle to parent certificate. If this parameter is omitted and there is only one certificate on the HSM, that certificate is automatically selected. If this parameter is omitted and there are multiple certificates on the HSM, the user is prompted to select the certificate. |
| -id=<CKA_ID> | Defines the CKA_ID attribute for the certificate object that gets created on the HSM. If omitted, the CKA_ID attribute of the private key is used instead. |
| -inputfile=<filename> |
Defines the name of the file that contains the PKCS #10 certificate request. |
| -keyids=<value> |
Indicates to use a subject key identifier from the parent. Valid values: 1,0 (True or False) |
| -keyusage=<extension(s)> |
Defines the key usage extension for the certificate. This parameter may appear more than once in the parameter set, to define multiple usages, or it can be used once with a comma-separated list of usage types. Valid values: digitalsignature,nonrepudiation,keyencipherment,dataencipherment,keyagreement,keycertsign,crlsign,encipheronly,decipheronly |
| -label=<label> |
Defines the label attribute for the certificate object that gets created on the HSM. If omitted, the common name of the subject DN is used instead. |
| -md5WithRsa | Defines the signature algorithm for the certificate to be pkcs-1-MD5withRSAEncryption. The default is to use sha1WithRsa. |
| -outputfile=<filename> |
Defines the filename for the certificate to be created. |
| -parentlabel=<label> |
Specifies the label attribute for the certificate or key object that is to be used as the parent for the new certificate. |
| -private==<T> or <F> |
Defines whether a certificate is created in the private space (default is -private=T). Set -private=F to make the created certificate publicly accessible for applications that need to acquire the certificate without need for authentication. |
| -serialNumber=<hex_SN> |
Defines the serial number of the certificate, in big-endian hexadecimal form. |
| -sha1withdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA1withDSAEncryption. The default is to use sha1WithRsa. |
| -sha1withecdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA1withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha1WithRsa | Defines the signature algorithm for the certificate to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa. |
| -sha224withecdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA224withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha224withrsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA224withRSAEncryption. The default is to use sha1WithRsa. |
| -sha256withecdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA256withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha256withrsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA256withRSAEncryption. The default is to use sha1WithRsa. |
| -sha384withecdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA384withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha384withrsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA384withRSAEncryption. The default is to use sha1WithRsa. |
| -sha512withecdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA512withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha512withrsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA512withRSAEncryption. The default is to use sha1WithRsa. |
| -startDate=<YYYYMMDD> | Defines the validity start of the certificate, in the format YYYYMMDD. |
| Common | |
| -password=<password> | The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted. |
| -slot=<slote#> | The slot to be acted upon, by the current command. If this is not specified, it is prompted. |
Example
cmu certify -input=testCert.req -h=8
Create and sign a new certificate using certificate 8 as the parent.
