cmu generatekeypair
This function generates an asymmetric key pair on the token or HSM. An optional input filename can be used to specify a file from which mandatory and optional attributes are to be read.
For DSA key generation, the domain parameters (Prime, Subprime, and Base) are required, and must be provided either as part of the command, or as responses to interactive prompting. If one is provided at the command line, then all three must be provided in that manner. If none are provided at the command line, then all three are prompted for interactive entry.
You may not provide only one or two of the parameters at the command line. Providing just one or two domain parameters is considered an error, and the command halts with an error message.
Syntax
cmu generatekeypair [-keyType=<keytype>] [-modulusBits=<length>] [-publicExponent=<value>] [-label=<label>] [-inputFile=<filename>] [-labelPublic=<label>] [-labelPrivate=<label>] [-mech]=<pkcs | prime | aux>[-modifiable=<0/1>] [-encrypt=<0/1>] [-decrypt=<0/1>] [-sign=<0/1>] [-verify=<0/1>] [-wrap=<0/1>] [-unwrap=<0/1>] [-extractable=<0/1>] [-id=<hex_ID>] [-startDate=<YYYYMMDD>] [-endDate=<YYYYMMDD>] [-subject=<hex_value>] [-curvetype=<value>] [-prime=<length>] [-subprime=<length>] [-base=<length>]
Argument(s) | Description |
---|---|
-base=<length> | Defines a base length for DSA key generation. |
-curvetype=<value> | This optional parameter defines the name of a curve type for ECDSA keys. Enter values 1-5 (1-NISTP 192 / 2-NISTP 224 / 3-NISTP 256 / 4-NISTP 384 / 5-NISTP 521). |
-decrypt=<0/1> |
Defines the decrypt setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the encrypt setting for the public key should also be set to True. NOTE An HSM is often configured such that no key can have multiple functions - see policy #10 on Partition Capabilities and Policies to choose that configuration option. Thus if decrypt is set True, then unwrap and sign would need to be False. |
-derive=<0/1> | Set to True or False (or 1 or 0). Note that an HSM is typically configured such that functional key attributes cannot be changed, so attempting to change this attribute will be rejected by the HSM. |
-encrypt=<0/1> |
Defines the encrypt setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the decrypt setting for the private key should also be set to True. NOTE An HSM is often configured such that no key can have multiple functions - see policy #10 on Partition Capabilities and Policies to choose that configuration option. Thus if encrypt is set True, then wrap and verify would need to be False. |
-endDate=<YYYYMMDD> | Defines the endDate field for the newly generated keys. The format for the value is YYYYMMDD. |
-extractable=<0/1> | Defines the extractable setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. |
-id=<hex_ID> | Defines the ID field for the newly generated keys. It must be set to a big-endian hexadecimal integer value. |
-inputFile=<filename> | Defines the name of a file from which to obtain additional parameter settings, one per line, of the form <name>=<value>. |
-keyType=<keytype> | Defines the type of asymmetric keys to generate. This parameter is not required if the key type can be established by the presence of other parameters. (e.g. If -modulusBits and/or -publicExponent parameters are specified, then -keyType=RSA is redundant). Currently, only RSA key pairs are supported. |
-label=<label> | Defines a label to be applied to both of the newly generated keys. If a multiple word label is required, the label value must be enclosed within quotation marks. |
-labelPrivate=<label> | Defines a label to apply to the private key from the newly generated key pair. |
-labelPublic=<label> | Defines a label to apply to the public key from the newly generated key pair. |
-mech=<mechanism> |
Defines the RSA key generation mechanism to be used (formerly "-keygenmech"). Valid Values: >pkcs -- PKCS >prime -- FIPS 186-3 Only Primes >aux -- FIPS 186-3 Auxiliary Primes |
-modifiable=<0/1> | Defines the modifiable setting for each of the keys in the key pair. It must be set to True or False (or 1 or 0). |
-modulusBits=<length> | Defines the length in bits of the modulus value for the generation of RSA key pairs. It must be set to a value between 1024 and 4096 that is a multiple of 64 bits. If the HSM policy 12 "Allow non-FIPS algorithms" is set to "No", then RSA key size is limited to 2048 bits or 3072 bits. |
-prime=<length> | Defines a prime length for DSA key generation. |
-publicExponent=<value> |
Defines the public exponent value to use in the generation of RSA key pairs. Valid values: 3,17,65537. Only 65537 is allowed in FIPS mode. |
-sign=<0/1> |
Defines the sign setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the verify setting for the public key should also be set to True. NOTE An HSM is often configured such that no key can have multiple functions - see policy #10 on Partition Capabilities and Policies to choose that configuration option. Thus if sign is set True, then unwrap and decrypt would need to be False. |
-startDate=<YYYYMMDD> | Defines the startDate field for the newly generated keys. The format for the value is YYYYMMDD. |
-subject=<hex_value> | Defines the subject field for the newly generated keys. It must be set to a big-endian hexadecimal integer value. The subject field is typically set to the DER encoding of the subject distinguished name for the key. |
-subprime=<length> | Defines a subprime bits length for DSA key generation. |
-unwrap=<0/1> |
Defines the unwrap setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the wrap setting for the public key should also be set to True. NOTE An HSM is often configured such that no key can have multiple functions - see policy #10 on Partition Capabilities and Policies to choose that configuration option. Thus if unwrap is set True, then decrypt and sign would need to be False. |
-verify=<0/1> |
Defines the verify setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the sign setting for the private key should also be set to True. NOTE An HSM is often configured such that no key can have multiple functions - see policy #10 on Partition Capabilities and Policies to choose that configuration option. Thus if verify is set True, then encrypt and wrap would need to be False. |
-wrap=<0/1> |
Defines the wrap setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the unwrap setting for the private key should also be set to True. NOTE An HSM is often configured such that no key can have multiple functions - see policy #10 on Partition Capabilities and Policies to choose that configuration option. Thus if wrap is set True, then encrypt and verify would need to be False. |
See also Common CMU Options.
Example
RSA
C:\Program Files\SafeNet\LunaClient>cmu gen -modulusBits=2048 -publicExp=65537 -sign=T -verify=T Select token [1] Token Label: myPartition1 [2] Token Label: myPartition1 Enter choice: 2 Please enter password for token in slot 2 : ******************* C:\Program Files\SafeNet\LunaClient>cmu list Select token [1] Token Label: myPartition1 [2] Token Label: myPartition1 Enter choice: 2 Please enter password for token in slot 2 : ******************* handle=14 label=NewPublicVerifyingKey handle=15 label=NewPrivateSigningKey C:\Program Files\SafeNet\LunaClient>
DSA - Domain Parameters at Command Line
cmu generatekeypair -keytype DSA -slot 6 -prime 0xfcec6182eb206b43c03e36c0eadabff56a0c2e79def44bc8f2e53699096d1ff270f159785d756921dbff9773ae08483b662fc07df7512ff68b2e5565fd7982e20c244832aba121cc0799cc09f2d5414d5f3966211365f51b83e9ffcccb3d88cdf238f7c2739131ca7aadff662fec1fb0e1d311a404260376fd011fe00d0204c3 -subprime 0xd3807353b51c5f71b22ac3d0c7e394148fcedc61 -base 0x42e3778e6ec31b0db07a6b370d7fb6fb4a0bca6deaac371f6adbcbeba38ddf76a47c3c3d79276a0e579ce4e347180fd9b4ad461d6cf0eac51fb08cf452f624570051e518a75a5bb9c3578a14fd4f27f795b22acea62b1fdf1032c1266da081c7fb99c4266626587093fd381617238ee1578fc325548dc1c08e5f9322c3b1205e
DSA - Domain Parameters Entered Interactively
cmu generatekeypair -keytype DSA -slot 6
The prime, subprime and base values must be entered as a HEX byte array.
For example, to enter a 1024-bit prime value, enter a 128-byte HEX byte array using this format: 0xa0383ee692f8... The prime value can be a 1024-bit, 2048-bit or 3072-bit value.
Enter a prime value: 0xfcec6182eb206b43c03e36c0eadabff56a0c2e79def44bc8f2e53699096d1ff270f159785d7 56921dbff9773ae08483b662fc07df7512ff68b2e5565fd7982e20c244832aba121cc0799cc09f2d5414d5f3966211365f 51b83e9ffcccb3d88cdf238f7c2739131ca7aadff662fec1fb0e1d311a404260376fd011fe00d0204c3
Enter a 160 bit subprime value: 0xd3807353b51c5f71b22ac3d0c7e394148fcedc61
Enter a 1024-bit base value: 0x42e3778e6ec31b0db07a6b370d7fb6fb4a0bca6deaac371f6adbcbeba38ddf76a47 c3c3d79276a0e579ce4e347180fd9b4ad461d6cf0eac51fb08cf452f624570051e518a75a5bb9c3578a14fd4f27f795b22 acea62b1fdf1032c1266da081c7fb99c4266626587093fd381617238ee1578fc325548dc1c08e5f9322c3b1205e