cmu

NOTE   This is a general-purpose tool intended for use across Luna HSM versions. It might reference mechanisms and features that are not available on all Luna products.

This section provides a detailed description of each function available in the Certificate Management Utility.

The command function is the first parameter on the command line that invokes the CMU application. It does not require a leading dash character. All options follow the command function and do employ leading dashes. Only a single command function can be specified with each invocation of the CMU application.

cmu <function> <-parameter_name[=parameter_value]>

Most functions take parameters, some of which may be mandatory, and some optional. Parameters may, in turn, take values. If a parameter takes a value, then the general syntax is to write the command cmu, followed by a space, followed by a function name, followed by a space, followed by a leading dash "-" and parameter name and an equal sign "=" and a value, with no spaces from the dash to the end of the parameter value. Multiple parameters are separated by spaces.

Authentication

Where an operation requires authentication, you must provide the appropriate password (for a password-authenticated HSM) or the appropriate PED key (via Luna PED, for a multifactor quorum-authenticated HSM).

Common CMU Options

Some options are commonly available to all cmu commands. They are described below and not on the individual command pages, for conciseness.

Argument(s) Description
-cu Specifies that you wish to perform the command as the partition's Crypto User. If the CU is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. Requires minimum Luna HSM Client 10.4.0.
-lco Specifies that you wish to perform the command as the partition's Limited Crypto Officer. If the LCO is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. Requires minimum Luna HSM Firmware 7.7.0 and minimum Luna HSM Client 10.3.0.

-password=<password>

-pin=<password>

The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted.
-ped=<PED_ID> Specifies the PED ID for the registered Remote PED that will handle authentication for the current slot, with the current command. You must specify this parameter to use Remote PED authentication.
-slot=<slot#> The slot to be acted upon, by the current command. If this is not specified, it is prompted.
-so Specifies that you wish to perform the command as Partition Security Officer for that slot. If a role is not specified, the Crypto Officer role is used by default. If you are logging in to the admin partition, the HSM SO role is default and so this option does nothing.

This chapter provides a detailed description of each of the functions available in the Luna Certificate Management Utility. It contains the following topics:

>cmu certify

>cmu delete

>cmu export

>cmu generatekeypair

>cmu getattribute

>cmu getpkc

>cmu import

>cmu importkey

>cmu list

>cmu requestcertificate

>cmu selfsigncertificate

>cmu setattribute

>cmu verifyhsm

>cmu verifypkc