All Products
Search
Document Center

Key Management Service:genRSAKeyPair

Last Updated:Nov 11, 2024

This topic explains the process of generating an RSA key pair using the genRSAKeyPair command on HSM, detailing the necessary key type, modulus length, and public exponent specifications.

Feature description

The genRSAKeyPair command allows for the creation of RSA asymmetric keys on HSM, which involves specifying the key type, modulus length, and public exponent.

Important

Ensure you have started the key_mgmt_tool and logged on to the HSM with a CU identity before executing this command.

Syntax

Enter parameters as per the syntax provided below. For detailed descriptions of each parameter, refer to Parameters.

genRSAKeyPair -m <modulus length>
              -e <public exponent> 
              -l <label> 
              [-id <key ID>] 
              [-min_srv <minimum number of servers>] 
              [-m_value <0..8>]
              [-nex] 
              [-sess] 
              [-timeout <number of seconds> ]
              [-u <user-ids>] 
              [-attest] 
Important

It is crucial to input parameters in the exact sequence outlined in the syntax.

Example

Below is an example of generating a 2048-bit RSA key pair labeled 'RSA', with the output indicating public key handle 14 and private key handle 15.

Command:  genRSAKeyPair -m 2048 -e 65541 -l rsa

       	Cfm3GenerateKeyPair returned: 0x00 : HSM Return: SUCCESS

       	Cfm3GenerateKeyPair:    public key handle: 14    private key handle: 15

       	Cluster Status:
       	Node id 0 status: 0x00000000 : HSM Return: SUCCESS

Parameters

Parameter name

Description

Required

Valid values

-m

Determines the key size in bits.

Yes

2048

-e

Sets the public exponent value.

Yes

An odd number ≥ 65537

-l

Assigns a label to the key.

Yes

No specific requirements

-id

Specifies the identifier for the generated key.

No

No specific requirements

-sess

Marks the key as a session key.

No

No specific requirements

-nex

Prevents the key from being exported.

No

No specific requirements

-u

Lists user IDs authorized to use the key, separated by commas for multiple entries.

No

0 to 8

-m_value

Defines the maximum number of users that can utilize the private key within the generated RSA key pair.

No

No specific requirements

-attest

Conducts a verification of the firmware response's integrity.

No

No specific requirements

-min_srv

  • Indicates the minimum number of servers required for key synchronization within the specified timeout period.

  • If the key fails to synchronize with the required number of servers within the timeout, it will not be created.

No

No specific requirements

-timeout

  • Specifies the duration in seconds for the key to synchronize across the required number of servers, as defined by the min_srv parameter.

  • This parameter is applicable only when used in conjunction with the min_srv parameter.

  • By default, there is no timeout, and the command will wait indefinitely until the key is synchronized to the minimum required servers.

No

No specific requirements