Generate an RSA asymmetric key pair on a Hardware Security Module (HSM) using the genRSAKeyPair command in the key_mgmt_tool. Specify the modulus length and public exponent to define the key. The command also lets you assign a label and ID, share the key pair with other HSM users, create nonextractable keys, and generate session keys that expire when the session ends. On success, the HSM assigns a separate key handle to the public key and the private key—use these handles to reference the keys in subsequent operations.
Prerequisites
Before you begin, ensure that you have:
Started
key_mgmt_toolLogged in to the HSM as a CU (Crypto User)
Syntax
genRSAKeyPair -m <modulus length>
-e <public exponent>
-l <label>
[-id <key ID>]
[-min_srv <minimum number of servers>]
[-m_value <0..8>]
[-nex]
[-sess]
[-timeout <number of seconds>]
[-u <user-ids>]
[-attest]Enter parameters in the exact order shown in the syntax.
Parameters
| Parameter | Description | Required | Valid values |
|---|---|---|---|
-m | Modulus length of the key, in bits. | Yes | 2048 |
-e | Public exponent value. | Yes | An odd number ≥ 65537 |
-l | Label for the key pair. The same label applies to both the public key and the private key. | Yes | Any string |
-id | Identifier for the generated key pair. | No | Any string |
-nex | Prevents the key from being exported. | No | — |
-sess | Marks the key as a session key. | No | — |
-u | User IDs of HSM users authorized to use the key pair, separated by commas. | No | 0–8 user IDs |
-m_value | Defines the maximum number of users that can utilize the private key within the generated RSA key pair. | No | 0–8 |
-attest | Verifies the integrity of the HSM firmware response after key generation. | No | — |
-min_srv | Minimum number of servers on which the key must be synchronized before the -timeout period expires. If synchronization does not reach this threshold in time, the key is not created. | No | Any integer |
-timeout | Time limit, in seconds, for the key to synchronize across the number of servers specified by -min_srv. Only applies when -min_srv is set. By default, the command waits indefinitely until synchronization completes. | No | Any positive integer |
Example
The following command generates a 2048-bit RSA key pair labeled rsa with public exponent 65541.
Command: genRSAKeyPair -m 2048 -e 65541 -l rsa
Cfm3GenerateKeyPair returned: 0x00 : HSM Return: SUCCESS
Cfm3GenerateKeyPair: public key handle: 14 private key handle: 15
Cluster Status:
Node id 0 status: 0x00000000 : HSM Return: SUCCESSThe output confirms that the key pair was created successfully. The HSM assigned handle 14 to the public key and handle 15 to the private key. Use these handles to reference the keys in subsequent commands.