CKM_ENCODE_PKCS_10
Supported Operations
| Encrypt and Decrypt | No |
| Sign and Verify | No |
| SignRecover and VerifyRecover | No |
| Digest | No |
| Generate Key/Key-Pair | No |
| Wrap and Unwrap | No |
| Derive | Yes |
| Available in FIPS Mode | Yes |
| Restrictions in FIPS Mode | None |
Key Size Range and Parameters
| Minimum | 0 |
| FIPS Minimum | 0 |
| Maximum | None |
| Parameter | None |
Description
This mechanism is used with the C_DeriveKey function to create a PKCS#10 certification request from a public key. Either an RSA or DSA public key may be used with this function. The PKCS#10 certificate request could then be sent to a Certificate authority for signing.
From PKCS#10
A certification request consists of a distinguished name, a public key and optionally a set of attributes that are collectively signed by the entity requesting certification. Certification requests are sent to a certification authority, which will transform the request to an X.509 public-key certificate.
Usage
>Use CKM_RSA_PKCS_KEY_PAIR_GEN to generate a key.
>Add a CKA_SUBJECT attribute to the public key, containing the subject's distinguished name.
>Initialize the signature mechanism to sign the request. Note that a digest/sign mechanism must be chosen. For example, CKM_SHA1_RSA_PKCS
>Call C_DeriveKey with the CKM_ENCODE_PKCS_10 mechanism to perform the generation.
>On success, an object handle for the certificate request is returned.
>The object's CKA_VALUE attribute contains the PKCS#10 request.
Return to ProtectToolkit-C Mechanisms
