Ensure that you have created a user that can manage crypto operations (CryptoUser). The byoktool supports all key types (PKCS#11, CNG, JCE, CXI). In this guide we will create a PKCS#11 key. For other types, please refer to the documentation provided to you on the Utimaco Product CD.
The key will be stored in the internal key storage of the HSM.
-
Use the following command to generate the tenant key:
›_ Console
> p11tool2 slot=0 loginuser=<user_password> PubKeyAttr=CKA_LABEL="<tenant_public_key>",CKA_MODULUS_BITS=2048, PrvKeyAttr=CKA_LABEL="<tenant_private_key>",CKA_EXTRACTABLE=CK_TRUE GenerateKeyPair=RSA
-
Navigate to the folder where you have the byoktool saved. Execute the following command to wrap the tenant key by using the KeyVaultKey, downloaded from the Azure Key Vault:
›_ Console
> byoktool.exe Dev=<IP_of_UTIMACO_HSM> LogonPass=<User>,<user_password> Label="<tenant_private_key>" CSP=azure PublicKey="<keyvaultkey>.publickey.pem" KID=" <kid>" WrappedKey="<WrappedKey>"
The attribute CKA_MODULUS_BITS describes the length of your key. You can change the key length to a length, that suits your use case.
The attribute CKA_EXTRACTABLE must be set to CK_TRUE!