vtl createCSR
Create a Certificate Signing Request (CSR)—a private key and unsigned client certificate. The certificate must be signed by a third party before being used to authenticate the Luna HSM Client.
CAUTION! If the key and certificate are re-created, existing NTLS connections are broken and the client must be removed and re-registered on each HSM server.
NOTE The client hostname/IP (-n / -subj "/CN=<common_name>") is the only mandatory field for certificate creation. All other fields of the certificate are used simply for display and visual confirmation purposes. The NTLA never displays certificate data fields to the user, so the content in these fields is irrelevant.
This feature requires minimum Luna HSM Client 10.1.0.
Syntax
vtl createCSR {-subj <string> | -n <IP/hostname> [-e <email_address>] [-u <organization_unit>] [-o <organization>] [-l <locality>] [-c <country_code>] [-s <state>] [-D <domain_component>]} [-curve <curve name>] [-keysize <key size>] [-keytype <key type>] [-P <private_key_filename>] [-C <cert_filename>] [-d <certificate_validity_period>] [-v]
| Argument(s) | Description |
|---|---|
| -c <country> | The country where the client computer resides. |
| -C <filename> |
The specified filename (*CSR.pem) for the unsigned certificate. Default: <IP/hostname>CSR.pem NOTE Thales recommends using the default filename to avoid losing track of keys and certificates. |
| -curve <curve_name> |
Elliptic Curve name (ECC only):options are secp256k1,secp384r1,secp521r1,prime256v1 ( default is secp384r1) NOTE This option requires Luna HSM Client 10.7.0 or newer. |
| -d <validity_period> |
Specifies the validity period for the client certificate, in days. Default: 3650 (10 years) |
| -D <domain_component> |
Specifies a domain component (up to 10). The order in which components are supplied is preserved. Example: for "example.com", specify -D example -D com. NOTE This option requires Luna HSM Client 10.7.2 or newer. |
| -e <email_address> | An email address to contact the certificate creator. |
| -keysize <key_size> |
RSA key size (RSA only): options are 2048,3072,4096 (default is 2048) NOTE This option requires Luna HSM Client 10.7.0 or newer. |
| -keytype <key_type> |
Key type: options are rsa, ecc, or ed25519 (default is RSA) NOTE This option requires Luna HSM Client 10.7.0 or newer. |
| -l <locality> | The locality where the client computer resides. |
| -n <IP/hostname> |
The client hostname or IP address. This becomes the certificate Common Name (CN). NOTE Either -n or -subj with the CN field must be specified. If you use -subj, all optional fields must be included in the -subj string; if you use -n, optional fields must be specified using the -e, -u, -o, -l, -c, -s, and/or -D options. |
| -o <organization> | The name of the organization that owns the client computer. |
| -P <filename> |
The specified filename (*Key.pem) for the private key. Default: <IP/hostname>Key.pem NOTE Thales recommends using the default filename to avoid losing track of keys and certificates. |
| -s <state> | The state where the client computer resides. |
| -subj <string> |
Subject string. This option allows you to supply Common Name, location, and other information in a single string. The order in which the components are presented in the string is preserved. At minimum, common name or IP (CN) must be included. Provide the options in the following format (up to 10 domain components may be included): -subj "/CN=<common_name>/E=<email_address>/OU=<department>/O=<organization>/L=<locality/city>/St=<state/province>/C=<country_code>/DC=<domain_component>/DC=<domain_component>/" NOTE >This option requires Luna HSM Client 10.9.1 or newer. >Either -n or -subj with the CN field must be specified. If you use -subj, all optional fields must be included in the -subj string; if you use -n, optional fields must be specified using the -e, -u, -o, -l, -c, -s, and/or -D options. >While this option allows you to control the order of the fields in the CSR, this order may not be preserved in the certificate once it is signed by the Certificate Authority. |
| -u <unit> | The business unit or department that owns the client computer. |
| -v | Verbose mode. Output extra information while creating the certificate and private key. |
| -x | Deprecated option to encrypt the private key -- the private key is always encrypted by default. |
Example
>vtl createCSR -n 192.168.10.12 vtl (64-bit) v10.1.0. Copyright (c) 2019 SafeNet. All rights reserved. Private Key created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\192.168.10.12Key.pem Certificate CSR created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\192.168.10.12CSR.pem
