cssadmin creates a key in a Security World. This key is first wrapped by wrapping key, and only then exported for use outside of the Security World.

cssadmin requires at least three parameters to be specified:


The name of the provider.


The name of the Security World key (an existing key can be specified, however, it must have first been created by cssadmin).


The name of the cloud service provider’s wrapping key.

For AWS, Google Compute Engine and Salesforce, the following parameter must also be specified:


The wrapping algorithm.

For Microsoft Azure, the following parameter must also be specified:


The key identifier of the Microsoft Key Exchange Key.

If multiple HSMs exist in the Security World you can, optionally, specify a specific HSM to be used.

For AWS, Google Compute Engine and Salesforce, the generated key is a 256-bit AES key. For Microsoft Azure and Google Cloud Key Management (Google KMS), you can choose from a list of available key types using a command line argument.

Run cssadmin

To run cssadmin on Windows:

"%NFAST_HOME%\python\python.exe" –m cssadmin

To run cssadmin on Linux:

/opt/nfast/python/bin/python –m cssadmin

Usage and options

usage: cssadmin.py [-h] [--version] [-m MODULE] [-O CARDSET | -S SOFTCARD | -M] [-a AZUREKEK] [-k KEYTYPE] provider keyName wrapKey [wrapAlg]


Export a key from a Security World to be used outside, by a provider.

If the key does not exist, a new one is generated. By default, the key is module protected.

positional arguments:

provider    The provider for which to export the key.
            One of ['aws', 'google-compute-engine',
            'google-cloud-key-management', 'microsoft-azure', 'salesforce']
keyName     The name of the key to export/generate
wrapKey     The filename of the key to use for wrapping (DER
wrapAlg     The wrapping algorithm (required for aws, google-compute-engine or salesforce).
            One of ['RSAES_OAEP_SHA_256', 'RSAES_OAEP_SHA_1', 'RSAES_PKCS1_V1_5']
optional arguments:

-h, --help                  show this help message and exit
--version                   show program’s version number and exit
-m MODULE, --module         MODULE
                            Specify a module to use
-O CARDSET, --ocs           CARDSET
                            Select OCS protection
-S SOFTCARD, --softcard     SOFTCARD
                            Select softcard protection
 -M, --module-protection    Select module protection (default)
Microsoft Azure:

-a AZUREKEK, --azure-kek AZUREKEK   The full URL key identifier of the Microsoft Azure wrapping key.
                                    Typically a URI i.e. https://myvault.vault.azure.net/keys/mykey/version
Microsoft Azure and Google KMS:

-k KEYTYPE, --key-type KEYTYPE      The type of the target key.
                                    One of ['AES-256', 'EC-NISTP256', 'EC-NISTP384', 'EC-NISTP521', EC-SECP256K1', 'RSA-2048', 'RSA-3072', 'RSA-4096'] Will default to RSA-2048 if not supplied

The key type option represents the possible key types for both Microsoft Azure and Google KMS as there are common types. An error message will be printed if the type is not supported by the specified provider.

Microsoft Azure supports: 'RSA-2048', 'RSA-3072', 'RSA-4096', 'EC-NISTP256', EC-NISTP384', 'EC-NISTP521', 'EC-SECP256K1'

Google Cloud Key Management supports: 'RSA-2048', 'RSA-3072', 'RSA-4096', 'EC-NISTP256', 'EC-NISTP384', 'AES-256'