mkaclx

mkaclx [-kKCMrRqviGA] [-a IDENT[:MECH]] [-t TYPE] [-b BITS] [-g BITS]
       [-O OPPERMS] [-m MODULE] [-N NAME] [-T TIME] [-U N] IDENT

Generates non-standard cryptographic keys that can be used to perform specific functions, for example, to wrap keys and derive mechanisms. This utility includes options that are not available with the generate-key utility.

Ensure that you run mkaclx with the options that are appropriate for your security infrastructure. If the appropriate options are not chosen, the security of existing keys might potentially be compromised.
Option Description

Key generation parameters

-b, --bits=BITS

Generates a key with length BITS.
Default: depends on key-type.

-g, --group-size=BITS

Group size is BITS long for Diffie-Hellman keys.

-k, --keygen-cert

Stores a key generation certificate (default).

-K, --no-keygen-cert

Doesn’t store a key generation certificate.

-O, --deny-oppermissions=OPFLAGS

Disables listing OpPermissions as a comma-separated list.

-t, --type=KEYTYPE

Selects the type of the generated key.
Default: RSA.

Key protection options

-a, --see-app-key=IDENT[:MECH]

Restricts the use of key to SEE programs signed by SEE integrity key IDENT, optionally with mechanism MECH.

-A, --assigned

Requires the key to be assigned (common-criteria-cmts worlds only).

-C, --cardset-protected

Generates a cardset-protected key.

-G, --logkeyusage

Requires logging of usage of the key.

-i, --kitb

Writes the blob to the module’s NVRAM.

-M, --module-protected

Generates a module-protected key (default).

-r, --recovery

Allows key to be recoverable (default).

-R, --no-recovery

Doesn’t allow key to be recoverable.

-S, --softcard-protected=NAME

Generates a softcard-protected module key using softcard NAME.

-T, --timeout=TIME

Sets the time limit of TIME seconds on main-use operations.

-U, --use-limit=N

Sets per-auth use limit of N on main-use operations.

Other settings

--confirm

Shows the command and requests confirmation.

-N, --name=NAME

Sets the key’s name.
Default: no name.

-q, --quiet

Produces fewer messages on successful runs.

-v, --verbose

Produces more messages on successful runs.

Option to address HSMs

-m, --module=MODULE

Specifies the number of the module to use.
If you only have one module, <MODULE> is 1.
If you do not specify a module number, the utility uses all modules by default.

Help options

-h, --help

Displays help for mkaclx.

-u, --usage

Displays a brief usage summary for mkaclx.

-V, --version

Displays the version number of the Security World Software that deploys mkaclx.