Use the sign command to generate a signing certificate using a private key stored in your Hardware Security Module (HSM).
Prerequisites
Before you begin, make sure that you have:
Started
key_mgmt_tooland logged on to the HSM as a Crypto User (CU)
Syntax
sign -f <file name>
-k <private key handle>
-m <signature mechanism>
-out <signed file name>Important
Enter parameters in the order shown above.
Example: Sign a file
This command signs a file named messageFile using the private key with handle 8. It uses signing mechanism 1 (SHA-256 with RSA PKCS#1 padding) and writes the signature to signedFile.
Command: sign -f messageFile -k 8 -out signedFile -m 1
Signature creation successful
signature is written to file signedFile
Cfm3Sign: sign returned: 0x00 : HSM Return: SUCCESSParameters
| Parameter | Description | Required |
|---|---|---|
-f | The file to sign. | Yes |
-k | The handle of the private key to use for signing. | Yes |
-m | The signing mechanism, specified as an integer. See Signing mechanisms for valid values. | Yes |
-out | The file name to save the signature to. | Yes |
Signing mechanisms
| Integer | Mechanism |
|---|---|
0 | SHA-1 with RSA PKCS#1 padding |
1 | SHA-256 with RSA PKCS#1 padding |
2 | SHA-384 with RSA PKCS |
3 | SHA-512 with RSA PKCS#1 padding |
4 | SHA-224 with RSA encryption (PKCS#1) |
5 | SHA-1 with RSA PKCS#1 PSS |
6 | SHA-256 with RSA PKCS#1 PSS |
7 | SHA-384 with RSA PKCS#1 PSS |
8 | SHA-512 with RSA PKCS#1 PSS |
9 | SHA-224 with RSA PKCS#1 PSS |
15 | ECDSA with SHA-1 |
16 | ECDSA with SHA-224 |
17 | ECDSA with SHA-256 |
18 | ECDSA with SHA-384 |
19 | ECDSA with SHA-512 |
What's next
To create a signing certificate using OpenSSL instead, see Create a self-signed certificate.