cmu certify

This function creates an X.509 V3 certificate from a PKCS #10 certificate request. The parent certificate and corresponding private key must already exist on the token or HSM. The private key is located on the token using the public key information inside the parent certificate.

NOTE   This command requires DER encoding for certificate requests generated outside of cmu. Both DER and PEM encoding are acceptable for certificate requests generated through cmu requestcertificate.

Syntax

cmu certify {-handle=<handle#> | -ouid=<OUID#>} -inputfile=<filename> -startDate=<YYYYMMDD> -endDate=<YYYYMMDD> [-label=<label>] [-id=<CKA_ID>] [-certificatepolicy=<policy>] [-private=<T/F>] [-keyids=<value>] [-binary] [-keyusage=<extension(s)>] [-md5WithRsa] [-sha1WithRsa] [-sha224withrsa] [-sha256withrsa] [-sha384withrsa] [-sha512withrsa] [-sha1withdsa] [-sha1withecdsa] [-sha224withecdsa] [-sha256withecdsa] [-sha384withecdsa] [-sha512withecdsa] [-basicconstraints=<constraints>] [-certdelete=<handle/OUID#>] [-outputfile=<filename>] [-parentlabel=<label>] [-password=<password>] [-ped=<PED_ID>] [-slot=<slot#>]

Argument(s) Description
-basicconstraints =<constraints>

Defines constraints applied to the certificate. Can include one or more in a comma-delimited list.

Valid Values:

critical,optional,ca:true,ca:false,pathlen:[value < 127]

-binary Defines the created certificate format to be raw binary (DER encoding) instead of the default PEM (base64) encoding.
-certdelete=<handle/OUID#> Specifies that the identified certificate (handle/OUID#) is to be deleted upon command completion (equivalent to running the cmu delete command separately).
-certificatepolicy=<policy> Defines the certificate policy to be used.
-endDate=<YYYYMMDD> Defines the validity end of the certificate, in the format YYYYMMDD.
-extendedkeyusage=<usage>

Defines the permitted additional usage of the key. Can include one or more in a comma-delimited list.

Valid Values:

critical,optional,clientauth,serverauth,codesigning,emailprotection,timestamping,ocspsigningD

-handle=<handle#> Defines the handle of the parent certificate. If this parameter is omitted and there is only one certificate on the partition, that certificate is automatically selected. If this parameter is omitted and there are multiple certificates on the partition, the user is prompted to select the certificate. This method of selection applies to Luna HSMs only. On a Luna Cloud HSM service slot, use -ouid instead.
-id=<CKA_ID> Defines the CKA_ID attribute for the certificate object that gets created on the HSM. If omitted, the CKA_ID attribute of the private key is used instead.
-inputfile=<filename>

Defines the name of the file that contains the PKCS #10 certificate request.

-keyids=<value>

Indicates to use a subject key identifier from the parent.

Valid values: 1,0 (True or False)

-keyusage=<extension(s)>

Defines the key usage extension for the certificate. This parameter may appear more than once in the parameter set, to define multiple usages, or it can be used once with a comma-separated list of usage types.

Valid values:

digitalsignature,nonrepudiation,keyencipherment,dataencipherment,keyagreement,keycertsign,crlsign,encipheronly,decipheronly

-label=<label>

Defines the label attribute for the certificate object that gets created on the HSM. If omitted, the common name of the subject DN is used instead.

-md5WithRsa Defines the signature algorithm for the certificate to be pkcs-1-MD5withRSAEncryption. The default is to use sha1WithRsa.
-ouid=<OUID#> Defines the Object Unified Identifier (OUID) of the parent certificate. If this parameter is omitted and there is only one certificate on the partition, that certificate is automatically selected. If this parameter is omitted and there are multiple certificates on the partition, the user is prompted to select the certificate. This method of selection requires Luna HSM Client 10.2.0 or newer, and applies to Luna Cloud HSM only. On a Luna HSM slot, use -handle instead.
-outputfile=<filename>

Defines the filename for the certificate to be created.

-parentlabel=<label>

Specifies the label attribute for the certificate or key object that is to be used as the parent for the new certificate.

-private=<T/F>

Defines whether a certificate is created in the private space (default is F). Set -private=T to require authentication before applications can use the certificate.

-serialNumber=<hex_SN>

Defines the serial number of the certificate, in big-endian hexadecimal form.

-sha1withdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA1withDSAEncryption. The default is to use sha1WithRsa.

-sha1withecdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA1withECDSAEncryption. The default is to use sha1WithRsa.

-sha1WithRsa  Defines the signature algorithm for the certificate to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa.
-sha224withecdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA224withECDSAEncryption. The default is to use sha1WithRsa.

-sha224withrsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA224withRSAEncryption. The default is to use sha1WithRsa.

-sha256withecdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA256withECDSAEncryption. The default is to use sha1WithRsa.

-sha256withrsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA256withRSAEncryption. The default is to use sha1WithRsa.

-sha384withecdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA384withECDSAEncryption. The default is to use sha1WithRsa.

-sha384withrsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA384withRSAEncryption. The default is to use sha1WithRsa.

-sha512withecdsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA512withECDSAEncryption. The default is to use sha1WithRsa.

-sha512withrsa

Defines the signature algorithm for the certificate to be pkcs-1-SHA512withRSAEncryption. The default is to use sha1WithRsa.

-startDate=<YYYYMMDD> Defines the validity start of the certificate, in the format YYYYMMDD.
Common
-password=<password> The password for the role accessing the current slot, with the current command.  If this is not specified, it is prompted.
-ped=<PED_ID> Specifies the PED ID for the registered Remote PED that will handle authentication for the current slot, with the current command. You must specify this parameter to use Remote PED authentication.
-slot=<slot#> The slot to be acted upon, by the current command. If this is not specified, it is prompted.

Example

The following command generate a certificate request with cmu:

cmu requestCert –privatehandle=7 -publichandle=6 -C=CA -L=Ottawa -O=Thales -CN=TestCertificate -outputFile=testCert.req

Alternatively, the following command generates a DER-encoded certificate request with OpenSSL:

openssl req -new -key privatekey.pem -out testCert.req -subj '/C=CA/ST=Ontario/L=Ottawa/O=Thales/CN=TestCertificate' -outform DER

The following command creates and signs a new certificate from the testCert.req certificate request, using certificate 8 as the parent:

cmu certify -input=testCert.req -h=8