CKM_ENCODE_PKCS_10

Supported Operations

Encrypt and Decrypt No
Sign and Verify No
SignRecover and VerifyRecover No
Digest No
Generate Key/Key-Pair No
Wrap and Unwrap No
Derive Yes
Available in FIPS Mode Yes
Restrictions in FIPS Mode None

Key Size Range and Parameters

Minimum 0
FIPS Minimum 0
Maximum None
Parameter None

Description

This mechanism is used with the C_DeriveKey function to create a PKCS#10 certification request from a public key.  Either an RSA or DSA public key may be used with this function. The PKCS#10 certificate request could then be sent to a Certificate authority for signing.

From PKCS#10

A certification request consists of a distinguished name, a public key and optionally a set of attributes that are collectively signed by the entity requesting certification.  Certification requests are sent to a certification authority, which will transform the request to an X.509 public-key certificate.

Usage

>Use CKM_RSA_PKCS_KEY_PAIR_GEN to generate a key.

>Add a CKA_SUBJECT attribute to the public key, containing the subject's distinguished name.

>Initialize the signature mechanism to sign the request. Note that a digest/sign mechanism must be chosen.  For example, CKM_SHA1_RSA_PKCS

>Call C_DeriveKey with the CKM_ENCODE_PKCS_10 mechanism to perform the generation.

>On success, an object handle for the certificate request is returned.

>The object's CKA_VALUE attribute contains the PKCS#10 request.

Return to ProtectToolkit-C Mechanisms