Skip to main content

Generate Assigned Key

Assigned keys provide for more restrictive controls which are enforced with ACLs Depending on the authorisation required, the keys can be either:

  • Token protected key, which is a key protected by an OCS or Softcard, and a passphrase.
  • Certifier protected key, which is a key protected by a Certifier key.

The assigned key is generated as part of the pkcs11 application, that can be further used for signing and sealing purposes.

info

For more information about the assigned keys, protection mechanism, and key parameters, see nShield Solo XC Common Criteria Evaluated Configuration Guide.

Generate assigned keys

Token protected assigned keys can be created via the generatekey and mkaclx CLI utilities.

Using the generatekey

To generate an assigned key using generatekey, use the following command:

generatekey pkcs11 assigned=yes

This will bring an interactive generation of the assigned key, where you need to provide at least the following:

  • Key type
  • Key size
  • Key name
  • Token (your PKCS#11 token)

This is an example output from the generatekey command:

generatekey pkcs11 assigned=yes
type: Key type? (DES3, DH, DHEx, DSA, HMACSHA1, HMACSHA256, HMACSHA384,
HMACSHA512, RSA, DES2, AES, Rijndael, ECDSA, ECDH, Ed25519,
X25519) [RSA] >
size: Key size? (bits, minimum 1024) [2048] >
OPTIONAL: pubexp: Public exponent for RSA key (hex)? []
>
logkeyusage: Log key usage? (yes/no) [no] >
plainname: Key name? [] > testassignedkey01
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
key generation parameters:
operation Operation to perform generate
application Application pkcs11
protect Protected by softcard
softcard Soft card to protect key testsoftcard01
recovery Key recovery no
assigned Make an assigned key yes
verify Verify security of key yes
type Key type RSA
size Key size 2048
pubexp Public exponent for RSA key (hex)
logkeyusage Log key usage no
plainname Key name testassignedkey01
nvram Blob in NVRAM (needs ACS) no
Please enter the pass phrase for softcard `testsoftcard01':

Please wait........
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_uc80a8020f5c5bed0d9b9bed13f9577608903dd4da-9ea7bcb6daa87fa29bbd0466d5d21f0799bc8c19

Using the mkaclx

To generate an assigned key using mkaclx, use the following command:

mkaclx --assigned --no-recovery --softcard-protected=testsoftcard01 --timeout=365d --use-limit=100 testassignedkey01