Generate a key pair and certificate on the CryptoHub

this section describes the steps to generate a key pair, csr, and certificate and then sign the certificate connect to the {{ch}} perform the following steps to connect and log in to the {{ch}} through fxcli run the fxcli application configure tls certificates for communication between fxcli and the {{ch}} by using the tls set of commands run tls help to access syntax documentation connect to the {{ch}} by using the following command fxcli $ connect connect cryptohub ip 2001 log in to the {{ch}} with the default admin1 and admin2 identities by running the following command twice, entering the username and password when prompted fxcli $ login user generate a new key pair on the {{ch}} perform the following steps to generate a new key pair on the {{ch}} generate a new key pair in the next available key slot on the {{ch}} modify the key usage values to match your specific requirements fxcli $ generate algo rsa bits 2048 name igdemokeypair usage sign,verify slot next confirm which key slot the private key was added to fxcli $ keytable list assign a pkcs11 label to the key you must set this field so certutil can find the key on the {{ch}} the pkcs11 label value should match the name that you set for the key pair in the generate command fxcli $ keytable extdata slot 0 p11 attr label p11 value igdemokeypair generate a csr perform the following step to generate a certificate signing request (csr) generate a csr from the new key pair that was created on the {{ch}} $ x509 req private slot igdemokeypair out igdemo csr create a ca perform the following steps to create a certificate authority (ca) create a new key pair in the next available key slot on the {{ch}} fxcli $ generate algo rsa bits 2048 usage mak name cakeypair slot next create a ca certificate from the key pair that was created on the {{ch}} fxcli $ x509 sign private slot cakeypair key usage digitalsignature key usage keycertsign ca true pathlen 0 dn 'o=futurex\cn=root' out ca pem confirm which key slot the private key was added to fxcli $ keytable list assign a pkcs11 label to the key you must set this field so certutil can find the key on the {{ch}} the pkcs11 label value should match the name that you set for the key pair in the generate command $ keytable extdata slot 1 p11 attr label p11 value cakeypair sign the csr by using the ca perform the following steps to sign the csr by using the ca sign the igdemo csr that you created by using the self signed ca certificate fxcli $ x509 sign csr igdemo csr issuer ca pem private slot cakeypair ca false key usage digitalsignature key usage keyencipherment key usage dataencipherment key usage keyagreement eku client dn 'o=futurex\cn=ig demo' out igdemo pem modify the key usage values to match your specific certificate requirements the signed leaf certificate is output to a file called igdemo pem