cmu requestcertificate
This function creates a PKCS #10 certificate request for an RSA/DSA/ECDSA key pair on the token or HSM. It must be provided with the handle/OUID either to the public key or to the corresponding private key (all of the public key components are contained within the private key). The private key must have signing capability because it is used to sign the certificate request structure. The signature is done using any of the mechanisms listed below. The subject name is defined by a series of optional RDN components.
If none of these components are provided on the command line, the CKA_SUBJECT of the private key is used as the subject of the certificate request. If the private key does not have its CKA_SUBJECT attribute set, the user will be queried for each of the RDN components. The Subject DN should contain at least the country, organization and common name components.
The signed certificate request is output to the specified file.
Syntax
cmu requestCertificate {-publichandle=<pubkeyhandle#> | -publicouid=<pubkeyOUID#>} {-privatehandle=<privkeyhandle#> | -privateouid=<privkeyOUID#>} -outputFile=<filename> [-sha1WithRsa] [-sha224withrsa] [-sha256withrsa] [-sha384withrsa] [-sha512withrsa] [-sha1withdsa] [-sha1withecdsa] [-sha224withecdsa] [-sha256withecdsa] [-sha384withecdsa] [-sha512withecdsa] [-C=<country>] [-S=<state>] [-L=<locality>] [-O=<organization>] [-OU=<org_unit>] [-CN=<common_name>] [-e=<e-mail_address>] [-binary]
| Argument(s) | Description |
|---|---|
| -authdata | |
| -binary | Defines the certificate request format to be raw binary (DER encoding) instead of the default PEM (base64) encoding. |
| -C=<country> | Defines the two-letter country name for the subject distinguished name (DN) of the certificate request. This parameter should be present in the subject DN. |
| -CN=<common_name> | Defines the common name for the subject distinguished name (DN) of the certificate request. This parameter should be present in the subject DN. |
| -E=<e-mail_address> | Official or contact e-mail address of certificate authority. |
| -L=<locality> | Defines the locality (typically the city) for the subject distinguished name of the certificate request. This parameter may be present in the Subject DN. |
| -md5withrsa | Defines the signature algorithm for the certificate request to be pkcs-1-md5withRSAEncryption. The default is to use sha1WithRsa. |
| -multiorg |
For Organization Name and Organization Unit name, the user may make multiple entries if the -multiorg option was provided.
|
| -O=<organization> | Defines the organization name for the subject distinguished name (DN) of the certificate request. This parameter should be present in the subject DN. |
| -OU=<org_unit> | Defines the organization unit name for the subject distinguished name (DN) of the certificate request. This parameter may be present in the subject DN. |
| -outputFile=<filename> | Defines the file that receives the certificate request. |
| -privatehandle=<privkeyhandle#> | Defines the handle to the private key from an RSA key pair to be certified. If this parameter is omitted and there is only one private signing key on the partition, that key is automatically selected. If this parameter is omitted and there are multiple private signing keys on the partition, the user is asked to select the private signing key. This method of selection applies to Luna HSMs only. On a Luna Cloud HSM service slot, use -privateouid. |
| -privateouid=<privkeyOUID#> | Defines the Object Unified Identifier (OUID) of the private key from an RSA key pair to be certified. If this parameter is omitted and there is only one private signing key on the partition, that key is automatically selected. If this parameter is omitted and there are multiple private signing keys on the partition, the user is asked to select the private signing key. This method of selection |
| -publichandle=<pubkeyhandle#> | Defines the handle to the public key from an RSA key pair to be certified. If this parameter is omitted and there is only one public signing key on the HSM, that key is automatically selected. If this parameter is omitted and there are multiple public signing keys on the HSM, the user is asked to select the public signing key. This method of selection applies to Luna HSMs only. On a Luna Cloud HSM service slot, use -publicouid. |
| -publicouid=<pubkeyOUID#> | Defines the Object Unified Identifier (OUID) of the public key from an RSA key pair to be certified. If this parameter is omitted and there is only one public signing key on the partition, that key is automatically selected. If this parameter is omitted and there are multiple public signing keys on the partition, the user is asked to select the public signing key. This method of selection |
| -S=<state> | Defines the state or province name for the subject distinguished name of the certificate request. This parameter may be present in the Subject DN. |
| -sha1withdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha1withDSAEncryption. The default is to use sha1WithRsa. |
| -sha1withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha1withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha1WithRsa | Defines the signature algorithm for the certificate request to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa. |
| -sha224withdsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha224withDSAEncryption. The default is to use sha1withDSA. |
| -sha224withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha224withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha224withrsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha224withRSAEncryption. The default is to use sha1WithRsa. |
| -sha256withdsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha256withDSAEncryption. The default is to use sha1withDSA. |
| -sha256withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha256withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha256withrsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha256withRSAEncryption. The default is to use sha1WithRsa. |
| -sha384withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha384withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha384withrsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha384withRSAEncryption. The default is to use sha1WithRsa. |
| -sha512withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha512withECDSAEncryption. The default is to use sha1WithRsa. |
| -sha512withrsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha512withRSAEncryption. The default is to use sha1WithRsa. |
| -sha3_224withdsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_224withDSAEncryption. The default is to use sha1withDSA. |
| -sha3_224withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_224withECDSAEncryption. The default is to use sha256withEDCSA. |
| -sha3_224withrsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_224withRSAEncryption.The default is to use sha256withRSA. |
| -sha3_256withdsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_256withDSAEncryption. The default is to use sha1withDSA. |
| -sha3_256withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_256withECDSAEncryption. The default is to use sha256withECDSA. |
| -sha3_256withrsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_256withRSAEncryption. The default is to use sha256withRSA. |
| -sha3_384withdsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_384withDSAEncryption. The default is to use sha1withDSA. |
| -sha3_384withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_384withECDSAEncryption. The default is to use sha256withECDSA. |
| -sha3_384withrsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_384withRSAEncryption. The default is to use sha256withRSA. |
| -sha3_512withdsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_512withDSAEncryption. The default is to use sha1withDSA. |
| -sha3_512withecdsa | Defines the signature algorithm for the certificate request to be pkcs-1-sha3_512withECDSAEncryption. The default is to use sha256withECDSA. |
| -sha3_512withrsa | Defines the signature algorithm for the certificate request to be pkcs-1 -sha3_512witRSAEncryption. The default is to use sha256withRSA. |
| -Ed25519 | Default for curve Ed25519 based EDDSA certs. |
TIP When requesting a certificate (cmu requestcertificate) using the wrong attribute to specify the private key, an incorrect error message is thrown ("Signing key not found"). Instead, use -privatehandle to specify a key on a Luna partition, and -privateouid on a Luna Cloud HSM service.
Common CMU Options
Some options are commonly available to all cmu commands. They are described below.
| Argument(s) | Description |
|---|---|
| -cu | Specifies that you wish to perform the command as the partition's Crypto User. If the CU is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. |
| -lco | Specifies that you wish to perform the command as the partition's Limited Crypto Officer. If the LCO is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. |
|
-password=<password> -pin=<password> |
The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted. |
| -ped=<PED_ID> | Specifies the PED ID for the registered Remote PED that will handle authentication for the current slot, with the current command. You must specify this parameter to use Remote PED authentication. |
| -slot=<slot#> | The slot to be acted upon, by the current command. If this is not specified, it is prompted. |
| -so | Specifies that you wish to perform the command as Partition Security Officer for that slot. If a role is not specified, the Crypto Officer role is used by default. |
Examples
The following example supports Luna HSM Client 10.1.0 and older:
cmu requestCert –privatehandle=7 -publichandle=6 -C=CA -L=Ottawa -O=Thales -CN=TestCertificate -outputFile=testCert.req
The following example supports Luna HSM Client 10.2.0 and newer with Luna Cloud HSM service slots:
cmu requestCert –privateouid=650200000d0000b8397e0800 -publicouid=640200000d0000b8397e0800 -C=CA -L=Ottawa -O=Thales -CN=TestCertificate -outputFile=testCert.req
