How to generate a signature in HSM - Key Management Service

This topic explains the use of the sign command to generate a signing certificate.

Feature description

The sign command utilizes a selected private key to produce a signing certificate. Alternatively, the openssl command can be used to create a signing certificate. For further details, see create a self-signed certificate to assist with HSM initialization.

Important

Ensure you start the key_mgmt_tool and log on to HSM as a CU before executing this command.

Syntax

Enter parameters as per the following syntax. For descriptions of each parameter, refer to parameters.

sign -f <file name>
     -k <private key handle>
     -m <signature mechanism>
     -out <signed file name>

Important

Parameters must be entered in the order specified by the syntax.

Example

Command:  sign -f messageFile -k 8 -out signedFile -m 1

       	Signature creation successful

       	signature is written to file signedFile

       	Cfm3Sign: sign returned: 0x00 : HSM Return: SUCCESS

Parameters

Parameter name	Description	Required	Valid values
-f	Indicates the file to be signed.	Yes	No Special Requirements
-k	Specifies the private key handle for signing.	Yes	No Special Requirements
-m	Defines the integer for the signature mechanism.	Yes	0: SHA1 with RSA and PKCS#1 padding 1: SHA-256 with RSA PKCS#1 padding 2: SHA-384 with RSA PKCS 3: SHA-512 with RSA (PKCS#1) 4: SHA-224 with RSA encryption (PKCS#1) 5: SHA1 with RSA-PKCS#1 PSS 6: SHA-256 with RSA and PKCS#1 PSS 7: SHA-384 with RSA-PKCS#1 PSS 8: SHA-512 with RSA-PKCS#1 PSS 9: SHA-224 with RSA and PKCS#1 PSS 15: ECDSA with SHA1 16: ECDSA with SHA-224 17: ECDSA with SHA256 18: ECDSA with SHA-384 19: ECDSA_SHA512
-out	Designates the file name for saving the signature.	Yes	No Special Requirements