CKM_ENCODE_PKCS_10
Supported Operations
Encrypt and Decrypt | No |
Sign and Verify | No |
SignRecover and VerifyRecover | No |
Digest | No |
Generate Key/Key-Pair | No |
Wrap and Unwrap | No |
Derive | Yes |
Available in FIPS Mode | Yes |
Restrictions in FIPS Mode | None |
Key Size Range and Parameters
Minimum | 0 |
FIPS Minimum | 0 |
Maximum | None |
Parameter | None |
Description
This mechanism is used with the C_DeriveKey function to create a PKCS#10 certification request from a public key. Either an RSA or DSA public key may be used with this function. The PKCS#10 certificate request could then be sent to a Certificate authority for signing.
From PKCS#10
A certification request consists of a distinguished name, a public key and optionally a set of attributes that are collectively signed by the entity requesting certification. Certification requests are sent to a certification authority, which will transform the request to an X.509 public-key certificate.
Usage
>Use CKM_RSA_PKCS_KEY_PAIR_GEN
to generate a key.
>Add a CKA_SUBJECT
attribute to the public key, containing the subject's distinguished name.
>Initialize the signature mechanism to sign the request. Note that a digest/sign mechanism must be chosen. For example, CKM_SHA1_RSA_PKCS
>Call C_DeriveKey with the CKM_ENCODE_PKCS_10
mechanism to perform the generation.
>On success, an object handle for the certificate request is returned.
>The object's CKA_VALUE
attribute contains the PKCS#10 request.
Return to ProtectToolkit-C Mechanisms