All Products
Search

This Product

    Key Management Service:genRSAKeyPair

    Document Center

    Key Management Service:genRSAKeyPair

    Last Updated:Nov 11, 2024

    This topic explains the process of generating an RSA key pair using the genRSAKeyPair command on HSM, detailing the necessary key type, modulus length, and public exponent specifications.

    Feature description

    The genRSAKeyPair command allows for the creation of RSA asymmetric keys on HSM, which involves specifying the key type, modulus length, and public exponent.

    Important

    Ensure you have started the key_mgmt_tool and logged on to the HSM with a CU identity before executing this command.

    Syntax

    Enter parameters as per the syntax provided below. For detailed descriptions of each parameter, refer to Parameters.

    genRSAKeyPair -m <modulus length>
              -e <public exponent> 
              -l <label> 
              [-id <key ID>] 
              [-min_srv <minimum number of servers>] 
              [-m_value <0..8>]
              [-nex] 
              [-sess] 
              [-timeout <number of seconds> ]
              [-u <user-ids>] 
              [-attest]
    Important

    It is crucial to input parameters in the exact sequence outlined in the syntax.

    Example

    Below is an example of generating a 2048-bit RSA key pair labeled 'RSA', with the output indicating public key handle 14 and private key handle 15.

    Command:  genRSAKeyPair -m 2048 -e 65541 -l rsa

       	Cfm3GenerateKeyPair returned: 0x00 : HSM Return: SUCCESS

       	Cfm3GenerateKeyPair:    public key handle: 14    private key handle: 15

       	Cluster Status:
       	Node id 0 status: 0x00000000 : HSM Return: SUCCESS

    Parameters

    Parameter name

    Description

    Required

    Valid values

    -m

    Determines the key size in bits.

    Yes

    2048

    -e

    Sets the public exponent value.

    Yes

    An odd number ≥ 65537

    -l

    Assigns a label to the key.

    Yes

    No specific requirements

    -id

    Specifies the identifier for the generated key.

    No

    No specific requirements

    -sess

    Marks the key as a session key.

    No

    No specific requirements

    -nex

    Prevents the key from being exported.

    No

    No specific requirements

    -u

    Lists user IDs authorized to use the key, separated by commas for multiple entries.

    No

    0 to 8

    -m_value

    Defines the maximum number of users that can utilize the private key within the generated RSA key pair.

    No

    No specific requirements

    -attest

    Conducts a verification of the firmware response's integrity.

    No

    No specific requirements

    -min_srv

    • Indicates the minimum number of servers required for key synchronization within the specified timeout period.

    • If the key fails to synchronize with the required number of servers within the timeout, it will not be created.

    No

    No specific requirements

    -timeout

    • Specifies the duration in seconds for the key to synchronize across the required number of servers, as defined by the min_srv parameter.

    • This parameter is applicable only when used in conjunction with the min_srv parameter.

    • By default, there is no timeout, and the command will wait indefinitely until the key is synchronized to the minimum required servers.

    No

    No specific requirements