cmu importkey
This function unwraps an RSA, DSA, or ECDSA private key onto the selected token or HSM. The key file may be in any of the following formats:
>PKCS #12(PFX) RSA in a DER-encoded format (.pfx file)
>PKCS #8(Unencrypted PrivatekeyInfo) in RSA or DSA in base 64 PEM, or binary DER format
>PKCS #1 (RSA in base64 PEM, or binary DER) format
>ECDSA keys can be PKCS1, PKCS8, and PKCS12 format.
NOTE PKCS#12 encrypted keys can be imported into the HSM from Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0 and newer.
Syntax
cmu importkey -in=<filename> -keyalg=<algorithm> [-wrapkey=<handle/OUID>] [-setkeyattr] [-PKCS8] [-PKCS12]
| Argument(s) | Description |
|---|---|
| -in=<filename> | Defines the full path to the file containing the PEM- or DER-encoded key to import. |
| -keyalg=<algorithm> |
Specifies the key's algorithm. Valid values: DSA,RSA,ECDSA,ED25519,ED448 NOTE Importing ED25519 or ED448 keys requires Luna HSM Client 10.5.0 or newer. These keys can only be used for signing; you must set CKA_DECRYPT and CKA_UNWRAP to 0 using the -setkeyattr option. |
| -out=<filename> | Not applicable -- anything specified here is ignored. |
| -PKCS8 |
Indicates that the key to import is formatted according to the PKCS#8 standard. NOTE: cmu options are case-sensitive. |
| -PKCS12 |
Indicates that the key to import is formatted according to the PKCS#12 standard. Only the private key portion is unwrapped onto the token. Any certificates in this file are simply ignored. It is assumed that you properly export a PKCS #12 key from Windows keystore (or other source, as appropriate). NOTE: cmu options are case-sensitive. |
| -setkeyattr | Allows the user to manually enter the imported key’s attributes. Modifiable key attributes are CKA_DECRYPT, CKA_SIGN, CKA_EXTRACTABLE, and CKA_UNWRAP. The defaults are always 1=true. |
| -wrapkey=<handle/OUID> |
The handle or OUID of the existing key that is to be used as the wrapping key. This key must have the CKA_WRAP attribute set to true. If this flag is not specified the default behavior is to auto-generate an AES key for the sole purpose of unwrapping the key onto the HSM. NOTE The OUID can be specified on a Luna Cloud HSM service slot only |
Common CMU Options
Some options are commonly available to all cmu commands. They are described below.
| Argument(s) | Description |
|---|---|
| -cu | Specifies that you wish to perform the command as the partition's Crypto User. If the CU is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. |
| -lco | Specifies that you wish to perform the command as the partition's Limited Crypto Officer. If the LCO is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. |
|
-password=<password> -pin=<password> |
The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted. |
| -ped=<PED_ID> | Specifies the PED ID for the registered Remote PED that will handle authentication for the current slot, with the current command. You must specify this parameter to use Remote PED authentication. |
| -slot=<slot#> | The slot to be acted upon, by the current command. If this is not specified, it is prompted. |
| -so | Specifies that you wish to perform the command as Partition Security Officer for that slot. If a role is not specified, the Crypto Officer role is used by default. |
Example
cmu importkey -in rawrsa1028.pem –keyalg RSA -wrapkey 11 –setkeyattr cmu importkey –PKCS8 –in pk8privkey.pem –keyalg DSA cmu importkey –in rsakey.pem –keyalg RSA –wrapkey 11 cmu importkey –in rsakey.pem –keyalg RSA cmu importkey –PKCS12 –in p12.pfx –keyalg RSA cmu importkey -PKCS12 -in ec.pfx -keyalg ECDSA
NOTE Using Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0 and newer, PKCS#12 encrypted keys can be imported into the HSM when the HSM is not in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow non-FIPS algorithms set to ON).
NOTE
1.Ideally, the private key should be in PKCS#8 format (privatekeyinfo) and not encrypted.
To convert a private key of either RSA or DSA type: (see PKCS#1 for RSA and PKCS#11 (11.9) for DSA) into a PKCS#8 structure, use the following openssl command
openssl pkcs8 -in key.pem –nocrypt -topk8 -out noenckey.pem
You are prompted for the password to decrypt the PrivateKeyInfo.
2. If the PKCS#8 structure is already encrypted according to the PKCS#5-PBE standard, then to import via CMU, use the following command
openssl pkcs8 -in pk8.pem -out key.pem
You are prompted for the password to decrypt the PrivateKeyInfo.
3.You can export the PrivatekeyInfo contents of a .pfx file by using the following openssl command
openssl pkcs12 –in p12.pfx –out pk12_privkey.pem –nocerts –nodes
You are prompted for the password to decrypt the PrivateKeyInfo.
