All Products
Search

This Product

    Key Management Service:genECCKeyPair

    Document Center

    Key Management Service:genECCKeyPair

    Last Updated:Nov 11, 2024

    This topic explains how to generate an ECC key pair on HSM using the genECCKeyPair command.

    Feature description

    The genECCKeyPair command enables the creation of an Elliptic Curve (ECC) key pair on HSM.

    Important

    Ensure you have started the key_mgmt_tool and logged on to the HSM with a CU identity before executing this command.

    Syntax

    Enter the parameters as outlined in the syntax below. For descriptions of each parameter, refer to Parameters.

    genECCKeyPair -i <EC curve id> 
              -l <label> 
              [-id <key ID>]
              [-min_srv <minimum number of servers>]
              [-m_value <0..8>]
              [-nex]
              [-sess]
              [-timeout <number of seconds> ]
              [-u <user-ids>]
              [-attest]
    Important

    It is essential to input the parameters in the sequence specified by the syntax.

    Example

    For illustration, this topic uses the NID_secp384r1 curve to generate a key pair labeled 'ecc'. The output indicates the public key handle as 12 and the private key handle as 13.

    Command:   genECCKeyPair -i 14 -l ecc

       	Cfm3GenerateKeyPair returned: 0x00 : HSM Return: SUCCESS

       	Cfm3GenerateKeyPair:    public key handle: 12    private key handle: 13

       	Cluster Status:
       	Node id 0 status: 0x00000000 : HSM Return: SUCCESS

    Parameters

    Parameter name

    Description

    Required

    Valid values

    -i

    Indicates the curve ID.

    Yes

    • 1: NID_X9_62_prime192v1

    • 2: NID_X9_62_prime256v1

    • 3: NID_sect163k1

    • 4: NID_sect163r2

    • 5: NID_sect233k1

    • 6: NID_sect233r1

    • 7: NID_sect283k1

    • 8: NID_sect283r1

    • 9: NID_sect409k1

    • 10: NID_sect409r1

    • 11: NID_sect571k1

    • 12: NID_sect571r1

    • 13: NID_secp224r1

    • 14: NID_secp384r1

    • 15: NID_secp521r1

    • 16: NID_secp256k1

    -l

    Defines the key label.

    Yes

    No specific requirements

    -id

    Assigns an ID to the generated key.

    Optional

    No specific requirements

    -sess

    Marks the generated key as a session key.

    Optional

    No specific requirements

    -nex

    Sets the key as non-exportable.

    Optional

    No specific requirements

    -u

    Lists user IDs authorized to share the key, separated by commas.

    Optional

    No specific requirements

    -m_value

    Defines the maximum number of users that can utilize the private key within the generated ECC key pair.

    Optional

    0 to 8

    -attest

    Conducts a firmware response integrity verification.

    Optional

    No specific requirements

    -min_srv

    • Specifies the minimum number of servers required for key synchronization within the allocated time (see -timeout).

    • If the key fails to synchronize to the specified number of servers within the allocated time, it will not be created.

    Optional

    No specific requirements

    -timeout

    • Allocates time (in seconds) for the key to synchronize to the specified number of servers (see -min_srv).

    • This parameter is effective only when used in conjunction with the -min_srv parameter.

    • Default setting: No timeout, the command waits indefinitely until the key is synchronized to the minimum number of servers.

    Optional

    No specific requirements