Cryptographic Security Platform 1.1.0 - Installation and administration guide [PDF][Releases]

Generates the key pair and the certificate signing request (CSR) of the certificate for signing TST responses.

tsactl create-key -k <key_type> [-s <subject>] [-o <csr>] [-p <pin>] [-t <token>] [-v <vendor>] [-y]

For example:

$ sudo tsactl create-key -k RSA3072 -s "CN=97357462, O=Entrust, C=ES"
Obtaining loaded secrets and configuration... Done
Starting PKCS #11 Manager...                  Done
Using token with label mytoken
Created key with id 4a00a4617d1afd5ad626955132dd0d396a69ed24
CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIICqDCCAZACAQAwMzExMC8GA1UEAxMoNGEwMGE0NjE3ZDFhZmQ1YWQ2MjY5NTUx
…
etTv+pac+nJKW8fw
-----END CERTIFICATE REQUEST-----

See below for a description of each option.

-k <key_type>

Create a key of the <key_type> type, where <key_type> is one of the following.

<key_type>	Description
RSA2048	RSA 2048 bits
RSA3072	RSA 3072 bits
RSA4096	RSA 4096 bits
ECDSAP256	ECDSA curve NIST P-256
ECDSAP384	ECDSA curve NIST P-384
ECDSAP521	ECDSA curve NIST P-521

Mandatory: Yes.

-s <subject>

Use <subject> as the Subject of the certificate request. Where <subject> is either:

A full Distinguished Name (DN)
A Relative Distinguished Name (RDN).

The DN attributes must be in capital letters for the Subject to be recognized.

For example:

CN=Example User,O=Example,C=US

CN=Example User

Mandatory: No. When omitting this option, the Subject in the generated certificate request defaults to the following:

CN=<key_id>

Where <key_id> is the key identifier.

-o <csr>

Save the certificate signing request (CSR) in a file with the <csr> path.

The root user owns the generated file, so you must change the file permissions to download it using SFTP.

Mandatory: No. When omitting this option, the command prints the CSR to the standard output.

-p <pin>

Authenticate in the HSM with the <pin> PIN.

Mandatory: No. When omitting this option, the command looks for the PIN in the application secrets. If not found, prompts the user for the PIN.

-t <token>

Select the HSM token with the <token> label.

Mandatory: No. When omitting this option, the command uses the value of the Token label configuration parameter.

The command will raise an error if you omit this option and the configuration is not loaded.

-v <vendor>

Use the <vendor> security module. See the following table for the supported values.

Vendor	Security module
none	Built-in software PKCS #11 module.
nshield	nShield HSM. See HSM requirements for the supported models.
thales	Thales HSM. See HSM requirements for the supported models.

It is recommended to select a Hardware Security Module (HSM).

Mandatory: No. When omitting this option, the command assumes the value of the Vendor configuration parameter.

The command will raise an error if you omit this option and the configuration is not loaded.

-y

Skip the confirmation prompt.