Generating ECC Key Pair
Configure the command for generating ECC Key pair.
The genECCKeyPair command generates an Elliptic Curve Cryptography (ECC) key pair in the HSMs.
Note
You must wait for the encryption key to get replicated to all replicas before you start using the key. To verify the key replication status, you can run the "getKeyInfo" command in Global mode using the Key Management Utility.
You must wait for the encryption key to get replicated to all replicas before you start using the key. To verify the key replication status, you can run the "getKeyInfo" command in Global mode using the Key Management Utility.
Open a command prompt and run genECCKeyPair command to generate an ECC key pair in a partition.
Note
When you generate or import keys, we recommend you to set the "min_srv" value as 2.
When you generate or import keys, we recommend you to set the "min_srv" value as 2.
Syntax
Syntax: genECCKeyPair -h -i <EC curve id> -l <label> [-nex] [-sess][-min_srv <minimum number of servers>] [-timeout <number of seconds>]
Where: -h displays this information
-i specifies the Curve ID
-l specifies the key label, if label contains spaces, it should be written in between " characters.
-sess specifies key as session key
-min_srv specifies the minimum number of HSMs in which the key is synchronized before the value of the -timeout parameter expires. If the key is not synchronized to the specified number of servers in the time allotted, it is not created. Dafault value for min_srv is 1.
-timeout
-nex sets the key as non-extractable
| Parameter | Description |
|---|---|
| -h | Displays this information |
| -i | specifies the Curve ID |
| -l | specifies the key label, if label contains spaces, it should be written in between " characters. |
| -sess | specifies key as session key |
| -min_srv | specifies the minimum number of HSMs in which the key is synchronized before the value of the -timeout parameter expires. If the key is not synchronized to the specified number of servers in the time allotted, it is not created. Dafault value for min_srv is 1. |
| -timeout | specifies the number of seconds to wait for the key to get synced when min_srv option is used. If nothing is specified, the polling will continue forever. |
| -nex | set the key as non-extractable |
| The following are HSM supported ECC CurveIds NID_X9_62_prime192v1 = 1 NID_X9_62_prime256v1 = 2 NID_sect163k1 = 3 NID_sect163r2 = 4 NID_sect233k1 = 5 NID_sect233r1 = 6 NID_sect283k1 = 7 NID_sect283r1 = 8 NID_sect409k1 = 9 NID_sect409r1 = 10 NID_sect571k1 = 11 NID_sect571r1 = 12 NID_secp224r1 = 13 NID_secp384r1 = 14 NID_secp521r1 = 15 NID_secp256k1 = 16 NID_secp192k1 = 17 NID_brainpoolP160r1 = 18 NID_brainpoolP192r1 = 19 NID_brainpoolP224r1 = 20 NID_brainpoolP256r1 = 21 NID_brainpoolP320r1 = 22 NID_brainpoolP384r1 = 23 NID_brainpoolP512r1 = 24 CUSTOMIZED_NID_FRP256V1 = 25 NID_X25519 = 26 NID_X448 = 27 NID_ED25519 = 28 NID_secp224k1 = 29 | |
Example
Command: genECCKeyPair -i 2 -l ecc_cu
KeyMgmtUtilsGenerateKeyPair returned: 0x00 : HSM Return: SUCCESS
KeyMgmtUtilsGenerateKeyPair: public key handle: 262554 private key handle: 262555
Cluster Status:
Node id 0 status: 0x00000000 : HSM Return: SUCCESS
Node id 1 status: 0x00000000 : HSM Return: SUCCESS
Node id 2 status: 0x00000000 : HSM Return: SUCCESS