cmu selfsigncertificate
This function creates a self-signed X.509 certificate for an RSA, DSA, or ECDSA key pair on the token or HSM. It must be provided with the handles to both the public key and the corresponding private key (all of the public key components are contained within the private key). The private key must have Signing capability since it is used to sign the certificate request structure. The signature is done with any of the mechanisms listed below. The subject name is defined by a series of optional RDN components.
If none of these components are provided on the command line, the CKA_SUBJECT of the private key is used as the subject of the certificate. If the private key does not have its CKA_SUBJECT attribute set, the user will be queried for each of the RDN components. The Subject DN should contain at least the country, organization and common name components.
The certificate will, by default, have a keyUsage setting of keycertsign. The certificate is stored as a PKCS #11 certificate object on the token. The CKA_ID attribute of the certificate is defined by an optional parameter. If this parameter is omitted, the CKA_ID of the private key is used.
Syntax
cmu selfSignCertificate -publichandle=<pubkeyhandle#> -privatehandle=<privkeyhandle#> -private==<T> or <F> -serialNumber=<SN> -startDate=<YYYYMMDD> -endDate=<YYYYMMDD> [-label=<label>] [-id=<CKA_ID>] [-keyusage=<type(s)>] [-md5WithRsa] [-sha1WithRsa] [-sha224withrsa] [-sha256withrsa] [-sha384withrsa] [-sha512withrsa] [-C=<country>] [-S=<state>] [-L=<locality>] [-O=<organization>] [-OU=<org_unit>] [-CN=<common_name>] [-password=<password>] [-slot=<slot#>]
| Argument(s) | Description |
|---|---|
| -basicconstraints= <critical,optional,ca:true,ca:false,pathlen:[value < 127] > |
Defines constraints applied to the certificate. Can include one or more in a comma-delimited list. |
| -C <country> | Defines the two-letter country name for the subject distinguished name (DN) and issuer Distinguished Name of the certificate. This parameter should be present in each DN. |
| -CN <common_name> | Defines the common name for the subject DN and issuer DN of the certificate. This parameter SHOULD be present in each DN. |
| -endDate <YYYYMMDD> | Defines the validity end of the certificate, in the format YYYYMMDD. |
| -extendedkeyusage= <critical,optional,clientauth,serverauth,codesigning, emailprotection,timestamping,ocspsigningD> |
Defines the permitted additional usage of the key. Can include one or more in a comma-delimited list. |
| -id <CKA_ID> | Defines the CKA_ID attribute for the certificate object that gets created on the HSM. If omitted, the CKA_ID attribute of the private key is used instead. |
| -keyusage <type(s)> |
Defines the key usage extension for the certificate. This parameter may be included more than once to define multiple usages, or it can be used once with a comma-separated list of usage types. If no key usage is specified, a default setting of keycertsign is used. Valid values: digitalsignature,nonrepudiation,keyencipherment,dataencipherment,keyagreement,keycertsign,crlsign,encipheronly,decipheronly. |
| -L <locality> | Defines the locality (typically the city) for the subject DN and issuer DN of the certificate. This parameter MAY be present in each DN. |
| -label <label> | Defines the CKA_LABEL attribute for the certificate object that gets created on the HSM. If omitted, the common name of the issuer and subject DN is used instead. |
| -md5WithRsa | Defines the signature algorithm for the certificate request to be pkcs-1-MD5withRSAEncryption. The default is to use sha1WithRsa. |
| -multiorg | |
| -o= <organization> | Defines the organization name for the subject DN and issuer DN of the certificate. This parameter SHOULD be present in each DN. |
| -ou= <org_unit> | Defines the organization unit name for the subject DN and issuer DN of the certificate. This parameter MAY be present in each DN. |
| -private==<T> or <F> |
Defines whether a certificate is created in the private space (default is -private=T). Set -private=F to make the created certificate publicly accessible for applications that need to acquire the certificate without need for authentication. |
| -privatehandle=<privkeyhandle#> | Defines the handle to the private key from an RSA key pair to be certified. If this parameter is omitted and there is only one private signing key on the HSM, that key is automatically selected. If this parameter is omitted and there are multiple private signing keys on the HSM, the user is asked to select the private signing key. |
| -publichandle=<pubkeyhandle#> | Defines the handle to the public key from an RSA key pair to be certified. If this parameter is omitted and there is only one public signing key on the HSM, that key is automatically selected. If this parameter is omitted and there are multiple public signing keys on the HSM, the user is asked to select the public signing key. |
| -S <state> | Defines the state or province name for the subject DN and issuer DN of the certificate. This parameter may be present in each DN. |
| -serialNumber <SN> | Defines the serial number of the certificate, in big-endian hexadecimal form. |
| -sha1withdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha1withDSAEncryption. The default is to use sha1WithRsa. |
| -sha1withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha1withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha1WithRsa | Defines the signature algorithm for the certificate request to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa. |
| -sha224withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha224withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha224withrsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha224withRSAEncryption. The default is to use sha1WithRsa. |
| -sha256withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha256withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha256withrsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha256withRSAEncryption. The default is to use sha1WithRsa. |
| -sha384withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha384withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha384withrsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha384withRSAEncryption. The default is to use sha1WithRsa. |
| -sha512withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha512withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha512withrsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha512withRSAEncryption. The default is to use sha1WithRsa. |
| -startDate <YYYYMMDD> | Defines the validity start of the certificate, in the format YYYYMMDD. |
| Common | |
| -password=<password> | The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted. |
| -slot=<slote#> | The slot to be acted upon, by the current command. If this is not specified, it is prompted. |
Example
The following example creates a self-signed certificate for RSA key 4:
cmu selfSign -publichandle=4 –privatehandle=5 -C=CA -O=Rainbow-Chrysalis -CN="Test Root Certificate" -startDate=20120101 -endDate=20151231 -serialNum=0133337f
