alias
|
The <VALUE> for alias specifies an alias to assign to the key. |
blobsavefile
|
When using the custom application type, the <VALUE> for blobsavefile specifies a file name of the form <FILENAME>.ext to which the key blob is saved.
Additionally, a text file containing information about the key is saved to a file whose name has the form <ROOT>_inf.txt; for asymmetric key types, the public key blob is also saved to a file whose name has the form <ROOT>_pub.ext. |
cardset
|
The <VALUE> for cardset specifies an OCS that is to protect the key (if protect is set to token).
In interactive mode, if you do not specify an OCS, you are prompted to select one at card-loading time.
The default is the OCS to which the card currently inserted in the slot belongs (or the first one returned by nfkminfo). |
certreq
|
Setting certreq enables you to generate a certificate request when generating a PKCS #11 key (RSA keys only).
The default behavior is to not generate a certificate request.
To generate a certificate request you must set the <VALUE> for certreq to yes, which makes generatekey prompt you to fill in the extra fields required to generate a key with a certificate request.
The resultant certificate request is saved to the current working directory with a file name of the form <FILENAME>_req.ext (where FILENAME is a name of your choice).
An extra file with a name of the form <FILENAME>.ext is also generated for use as a pseudo-key-header.
This file can be removed after the certificate request has been generated.
You can use certreq with the --retarget option to generate a self-signed certificate for an existing key.
|
checks
|
For RSA key generation only, this specifies the number of checks to be performed.
Normally, you should leave <VALUE> empty to let the HSM pick an appropriate default. |
curve
|
For ECDH and ECDSA key generation only, the <VALUE> for curve specifies which curves from the supported range to use.
Supported curves are: NISTP192, NISTP224, NISTP256, NISTP384, NISTP521, NISTB163, NISTB233, NISTB283, NISTB409, NISTB571, NISTK163, NISTK233, NISTK283, NISTK409, NISTK571, ANSIB163v1, ANSIB191v1, SECP160r1 and SECP256k1. |
embedconvfile
|
The <VALUE> for embedconvfile specifies the name of the PEM file that contains the RSA key to be converted. |
embedsavefile
|
When using the embed application type, the <VALUE> for embedsavefile specifies the name for the file where the fake RSA private key is to be saved.
The file has the same syntax as an RSA private key file, but actually contains the key identifier rather than the key itself, which remains protected.
A certificate request and a self-signed certificate are also written.
If the filename is <ROOT>.ext then the request is saved to <ROOT>_req.ext and the self-signed certificate is saved to <ROOT>_selfcert.ext.
|
from-application
|
When retargeting a key, the <VALUE> for from-application specifies the application name of the key to be retargeted.
Only applications for which at least one key exists are acceptable. |
from-ident
|
When retargeting a key, the <VALUE> for from-ident specifies the identifier of the key to be retargeted (as displayed by the nfkminfo command-line utility). |
hexdata
|
The <VALUE> for hexdata specifies the hex value of DES or Triple DES key to import.
The hex digits are echoed to the screen and can appear in process listings if this parameter is specified on the command line. |
ident
|
The <VALUE> for ident specifies a unique identifier for the key in the Security World.
For applications of types simple or hwcrhk, this is the key identifier to use (the exact identifier for simple, for hwcrhk the key type is implicitly included).
For other application types, keys are assigned an automatically generated identifier and accessed by means of some application-specific name. |
keystore
|
The <VALUE> for keystore specifies the file name of the key store to use.
This must be an nShield key store. |
keystorepass
|
The <VALUE> for keystorepass specifies the password to the key store to use. |
module
|
The <VALUE> for module specifies an HSM to use when generating the key.
If there is more than one usable HSM, you are prompted to supply a value for one of them.
The default is the first usable HSM (one in the current Security World and in the operational state).
|
|
You can also specify an HSM by setting the --module option.
|
|
paramsreadfile
|
The <VALUE> for paramsreadfile specifies the name of the group parameters file that contains the discrete log group parameters for Diffie-Hellman keys only.
This should be a PEM-formatted PKCS#3 file.
If a <VALUE> for paramsreadfile is not specified, the HSM uses a default file. |
pemreadfile
|
The <VALUE> for pemreadfile specifies the name of the PEM file that contains the key to be imported.
When importing an RSA key, this is the name of the PEM-encoded PKCS #1 file to read it from.
Password-protected PEM files are not supported. |
plainname
|
The <VALUE> for plainname specifies the key name within the Security World.
For some applications, the key identifier is derived from the
name, but for others the name is just recorded in kmdata (Linux) or %NFAST_KMDATA% (Windows) and not used otherwise.
|
protect
|
The <VALUE> for protect specifies the protection method, which can be module for Security World protection, softcard for softcard protection or token for Operator Card Set protection.
The default is token, except for seeconf keys, where the default is module.
seeinteg keys are always token-protected.
The softcard option is only available when your system has at least one softcard present. |
pubexp
|
For RSA key generation only, the <VALUE> for pubexp specifies (in hexadecimal format) the public exponent to use when generating RSA keys.
We recommend leaving this parameter blank unless advised to supply a particular value by Support. |
recovery
|
The <VALUE> for recovery enables recovery for this key and is only available for card-set protected keys in a recovery-enabled world.
If set to yes, the key is recoverable.
If set to no, key is not recoverable.
The default is yes.
Non-recoverable HSM-protected keys are not supported. |
seeintegname
|
If present, the <VALUE> for seeintegname identifies a seeinteg key.
The ACL of the newly generated private key is modified to require a certificate from the seeinteg key for its main operational permissions, such Decrypt and Sign (DuplicateHandle, ReduceACL, and GetACL are still permitted without certification.) |
selfcert
|
The <VALUE> for selfcert enables you to generate a self-signed certificate when generating a PKCS #11 key (RSA keys only).
To generate a self-signed certificate request you must set selfcert to yes, which makes generatekey prompt you to fill in the extra fields required to generate a key with a self-signed certificate.
The resultant certificate is saved to the current working directory with a file name of the form <FILENAME>.ext.
You can use this parameter with the --retarget option to generated a self-signed certificate for an existing key. |
size
|
For key types with variable-sized keys, the <VALUE> for size specifies the key size in bits.
The range of allowable sizes depends on the key type and whether the --no-verify option is used.
The default depends on the key type; for information on available key types and sizes, see the User Guide.
This parameter does not exist for fixed-size keys, nor for ECDH and ECDSA keys which are specified using curve. |
strict
|
For DSA key generation only, setting the <VALUE> for strict to yes enables strict verification, which also limits the size to exactly 1024 bits.
The default is no. |
type
|
The <VALUE> for type specifies the type of key.
You must usually specify the key type for generation and import (though some applications only support one key type, in which case you are not asked to choose).
Sometimes the type must also be specified for retargeting; for information on available key types and sizes, see the User Guide.
The --verify option limits the available key types. |
x509country
|
The <VALUE> for x509country specifies a country code, which must be a valid 2-letter code, for the certificate request. |
x509dnscommon
|
The <VALUE> for x509dnscommon specifies a site domain name, which can be any valid domain name, for the certificate request. |
x509email
|
The <VALUE> for x509email specifies an email address for the certificate request. |
x509locality
|
The <VALUE> for x509locality specifies a city or locality for the certificate request. |
x509org
|
The <VALUE> for x509org specifies an organization for the certificate request. |
x509orgunit
|
The <VALUE> for x509orgunit specifies an organizational unit for the certificate request. |
x509province
|
The <VALUE> for x509province specifies a province for the certificate request. |
xsize
|
The <VALUE> for xsize specifies the private key size in bits when generating Diffie-Hellman keys.
The defaults are 256 bits for a key size of 1500 bits or more or 160 bits for other key sizes. |