cmu certify
This function creates an X.509 V3 certificate from a PKCS #10 certificate request. The parent certificate and corresponding private key must already exist on the token or HSM. The private key is located on the token using the public key information inside the parent certificate.
NOTE This command requires DER encoding for certificate requests generated outside of cmu. Both DER and PEM encoding are acceptable for certificate requests generated through cmu requestcertificate.
Syntax
cmu certify {-handle=<handle#> | -ouid=<OUID#>} -inputfile=<filename> -startDate=<YYYYMMDD> -endDate=<YYYYMMDD> [-label=<label>] [-id=<CKA_ID>] [-certificatepolicy=<policy>] [-private=<T/F>] [-keyids=<value>] [-keyidalg=<algorithm>] [-binary] [-keyusage=<extension(s)>] [-md5WithRsa] [-sha1WithRsa] [-sha224withrsa] [-sha256withrsa] [-sha384withrsa] [-sha512withrsa] [-sha1withdsa] [-sha1withecdsa] [-sha224withecdsa] [-sha256withecdsa] [-sha384withecdsa] [-sha512withecdsa] [-basicconstraints=<constraints>] [-certdelete] [-outputfile=<filename>] [-parentlabel=<label>]
| Argument(s) | Description |
|---|---|
| -basicconstraints =<constraints> |
Defines constraints applied to the certificate. Can include one or more in a comma-delimited list. Valid Values: critical,optional,ca:true,ca:false,pathlen:[value < 127] |
| -binary | Defines the created certificate format to be raw binary (DER encoding) instead of the default PEM (base64) encoding. |
| -certdelete | Use this option when you also specify -outputfile, so that the cert goes directly to the file system and is not stored on the HSM; otherwise, a certificate is created and stored internally. |
| -certificatepolicy=<policy> | Defines the certificate policy to be used. |
| -endDate=<YYYYMMDD> | Defines the validity end of the certificate, in the format YYYYMMDD. |
| -extendedkeyusage=<usage> |
Defines the permitted additional usage of the key. Can include one or more in a comma-delimited list. Valid Values: critical,optional,clientauth,serverauth,codesigning,emailprotection,timestamping,ocspsigningD |
| -handle=<handle#> | Defines the handle of the parent certificate. If this parameter is omitted and there is only one certificate on the partition, that certificate is automatically selected. If this parameter is omitted and there are multiple certificates on the partition, the user is prompted to select the certificate. This method of selection applies to Luna HSMs only. On a Luna Cloud HSM service slot, use -ouid instead. |
| -id=<CKA_ID> | Defines the CKA_ID attribute for the certificate object that gets created on the HSM. If omitted, the CKA_ID attribute of the private key is used instead. |
| -inputfile=<filename> |
Defines the name of the file that contains the PKCS #10 certificate request. |
| -keyidalg=<algorithm> |
Specifies the hashing algorithm used to create the subject key identifier (SKI) and authority key identifier (AKI) of the newly created certificate. This option is used with -keyids. Valid values: >sha1 >sha224 >sha256 >sha384 >sha512 NOTE This parameter is only available if you are using a Luna PCIe HSM 7 with Luna HSM Client 10.3.0 and newer. |
| -keyids=<value> |
Indicates whether the newly created certificate will have an SKI and AKI. NOTE The usage of this parameter varies by Luna HSM Client. Note the following: >If you are using Luna HSM Client 10.3.0 and newer, the SKI is created using a hashing algorithm while the AKI is either taken from the parent certificate (if the parent certificate already has an AKI) or created using a hashing algorithm. You can specify the algorithm with -keyidalg. If no algorithm is specified with -keyidalg, SHA-1 is used. >If you are using Luna HSM Client 10.2.0 and older, the SKI is calculated using SHA-1 while the AKI is either taken from the parent certificate (if the parent certificate already has an AKI) or created using SHA-1. Valid values: 1,0 (True or False) |
| -keyusage=<extension(s)> |
Defines the key usage extension for the certificate. This parameter may appear more than once in the parameter set, to define multiple usages, or it can be used once with a comma-separated list of usage types. Valid values: critical,digitalsignature,nonrepudiation,keyencipherment,dataencipherment,keyagreement,keycertsign,crlsign,encipheronly,decipheronly |
| -label=<label> |
Defines the label attribute for the certificate object that gets created on the HSM. If omitted, the common name of the subject DN is used instead. |
| -md5WithRsa | Defines the signature algorithm for the certificate to be pkcs-1-MD5withRSAEncryption. The default is to use sha1WithRsa. |
| -ouid=<OUID#> | Defines the Object Unified Identifier (OUID) of the parent certificate. If this parameter is omitted and there is only one certificate on the partition, that certificate is automatically selected. If this parameter is omitted and there are multiple certificates on the partition, the user is prompted to select the certificate. This method of selection |
| -outputfile=<filename> |
Defines the filename for the certificate to be created. |
| -parentlabel=<label> |
Specifies the label attribute for the certificate or key object that is to be used as the parent for the new certificate. |
| -private=<T/F> |
Defines whether a certificate is created in the private space (default is F). Set -private=T to require authentication before applications can use the certificate. |
| -serialNumber=<hex_SN> |
Defines the serial number of the certificate, in big-endian hexadecimal form. |
| -sha1withdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA1withDSAEncryption. The default is to use sha1WithRsa. |
| -sha1withecdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA1withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha1WithRsa | Defines the signature algorithm for the certificate to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa. |
| -sha224withecdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA224withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha224withrsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA224withRSAEncryption. The default is to use sha1WithRsa. |
| -sha256withecdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA256withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha256withrsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA256withRSAEncryption. The default is to use sha1WithRsa. |
| -sha384withecdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA384withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha384withrsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA384withRSAEncryption. The default is to use sha1WithRsa. |
| -sha512withecdsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA512withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha512withrsa |
Defines the signature algorithm for the certificate to be pkcs-1-SHA512withRSAEncryption. The default is to use sha1WithRsa. |
| -startDate=<YYYYMMDD> | Defines the validity start of the certificate, in the format YYYYMMDD. |
Common CMU Options
Some options are commonly available to all cmu commands. They are described below.
| Argument(s) | Description |
|---|---|
| -cu | Specifies that you wish to perform the command as the partition's Crypto User. If the CU is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. |
| -lco | Specifies that you wish to perform the command as the partition's Limited Crypto Officer. If the LCO is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. |
|
-password=<password> -pin=<password> |
The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted. |
| -ped=<PED_ID> | Specifies the PED ID for the registered Remote PED that will handle authentication for the current slot, with the current command. You must specify this parameter to use Remote PED authentication. |
| -slot=<slot#> | The slot to be acted upon, by the current command. If this is not specified, it is prompted. |
| -so | Specifies that you wish to perform the command as Partition Security Officer for that slot. If a role is not specified, the Crypto Officer role is used by default. |
Example
The following command generate a certificate request with cmu:
cmu requestCert –privatehandle=7 -publichandle=6 -C=CA -L=Ottawa -O=Thales -CN=TestCertificate -outputFile=testCert.req
Alternatively, the following command generates a DER-encoded certificate request with OpenSSL:
openssl req -new -key privatekey.pem -out testCert.req -subj '/C=CA/ST=Ontario/L=Ottawa/O=Thales/CN=TestCertificate' -outform DER
The following command creates and signs a new certificate from the testCert.req certificate request, using certificate 8 as the parent:
cmu certify -input=testCert.req -h=8
