cmu getpkc

Retrieve a Public Key Confirmation from the HSM.

NOTE   This operation works with non-extractable keys only, and supports both RSA and ECC keypair types.

This confirmation procedure is currently not supported on FM-enabled HSMs. Refer to FM Deployment Constraints for details.

Syntax

cmu getpkc [{-handle=<handle#> | -ouid=<OUID#>}] [-outputfile=<filename>] [-verify]

Argument(s) Description
-handle=<handle#> The handle to the corresponding private key for the PKC. This method of selection applies to Luna HSMs only. On a Luna Cloud HSM service slot, use -ouid.
-ouid=<OUID#> The Object Unified Identifier (OUID) to the corresponding private key for the PKC. This method of selection requires Luna HSM Client 10.2.0 or newer, and applies to Luna Cloud HSM services only. On a Luna HSM slot, use -handle.
-outputfile=<filename> The name of the file that receives the PKC.
-verify Sets a flag to verify the PKC against the certificate that signed the PKC. It must be set to True or False (or 1 or 0), with False being the default.

If you run the command with no parameters, you are prompted for the mandatory ones.

Common CMU Options

Some options are commonly available to all cmu commands. They are described below.

Argument(s) Description
-cu Specifies that you wish to perform the command as the partition's Crypto User. If the CU is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. Requires minimum Luna HSM Client 10.4.0.
-lco Specifies that you wish to perform the command as the partition's Limited Crypto Officer. If the LCO is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. Requires minimum Luna HSM Firmware 7.7.0 and minimum Luna HSM Client 10.3.0.

-password=<password>

-pin=<password>

 The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted.
-ped=<PED_ID> Specifies the PED ID for the registered Remote PED that will handle authentication for the current slot, with the current command. You must specify this parameter to use Remote PED authentication.
-slot=<slot#> The slot to be acted upon, by the current command. If this is not specified, it is prompted.
-so Specifies that you wish to perform the command as Partition Security Officer for that slot. If a role is not specified, the Crypto Officer role is used by default.

Example

cmu getpkc –handle=5