Generate a signature using AWS CloudHSM KMU

Use the sign command in the AWS CloudHSM key_mgmt_util to use a chosen private key to generate a signature for a file.

In order to use sign, you must first have a private key in your HSM. You can generate a private key with the genSymKey, genRSAKeyPair, or genECCKeyPair commands. You can also import one with the importPrivateKey command. For more information, see Generate Keys.

The sign command uses a user-designated signing mechanism, represented by an integer, to sign a message file. For a list of possible signing mechanisms, see Parameters.

Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).

Syntax

sign -h

sign -f <file name>
     -k <private key handle>
     -m <signature mechanism>
     -out <signed file name>

Example

This example shows how to use sign to sign a file.

Command: sign -f messageFile -k 266309 -m 1 -out signedFile

Cfm3Sign returned: 0x00 : HSM Return: SUCCESS

signature is written to file signedFile

Cluster Error Status
Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
Node id 1 and err state 0x00000000 : HSM Return: SUCCESS
Node id 2 and err state 0x00000000 : HSM Return: SUCCESS

Parameters

This command takes the following parameters.

Related topics