Skip to main content

Generating Agentless Management Keys to HSM

This section describes how you can create agentless management keys into HSM. The instructions in this section can be performed on any Key Manager Server with a functioning SafeNet Client.

  1. Gain root-terminal access to the Key Manager Server machine.

  2. Run a command similar to the following to generate a new SSH key pair:

    # /usr/lunasa/bin/cmu generatekeypair -modulusBits=keysize \
    -publicExp=exponent -label=keylabel -sign=T -verify=T -id=binaryid

    In the example command, replace placeholder values as follows:

    • keysize: The size of the key in bits. For example: 2048

    • exponent: The public exponent value to use in the generation of RSA key pairs. Must be set to 3, 17 or 65537.

    • keylabel: An arbitrary name for the key pair. For example: sshmgrkey

    • binaryid: A unique ID for the key pair in binary form, with the length of one byte. For example: 00000001

    For the key pair to work with Key Manager, its sign and verify attributes must be set to true.

    The following is a working example of the command:

    # /usr/lunasa/bin/cmu generatekeypair -modulusBits=2048 \
    -publicExp=65537 -sign=T -verify=T -label=sshmgrkey -id=00000001

    When prompted, enter the PIN of the HSM partition.

    You may then verify that the key was added by running the following command:

    # /usr/lunasa/bin/cmu list

    Once again, enter the PIN of the HSM partition when prompted to. The command will then list the keys in the partition.