Creating a MLDSA key pair | Utimaco Integration Guides

To create a MLDSA key pair, the following command can be used:

/opt/utimaco/bin/qptool2 -lib "/opt/utimaco/lib/libcs_pkcs11_R3.so" -s SLOT_ID -p PIN -token -mldsa -keytype 2 -label KEY_LABEL -gen -count 1

To be used by OpenSSL, the private and public parts of the key must share their CKA_ID. This can be checked using the p11CAT tool from Utimaco.

Verify that the keys are generated on the HSM using the following command:

›_ Console

/opt/utimaco/bin/p11tool2 slot=SLOT_ID LoginUser=ask ListObjects
Enter normal user PIN:


CKO_PUBLIC_KEY:

+ 1.1
  CKA_KEY_TYPE                   = CKK_VENDOR_DEFINED
  CKA_UNIQUE_ID                  = C3B21F47-56D3-4433-95C9-41793210D5E8
  CKA_LABEL                      = MLDSA_2_key
  CKA_ID                         = 0x3030 (00)

CKO_PRIVATE_KEY:

+ 2.1
  CKA_KEY_TYPE                   = CKK_VENDOR_DEFINED
  CKA_UNIQUE_ID                  = 056E1AC8-E31A-464F-9336-95C220287A97
  CKA_SENSITIVE                  = CK_TRUE
  CKA_EXTRACTABLE                = CK_FALSE
  CKA_LABEL                      = MLDSA_2_key
  CKA_ID                         = 0x3030 (00)

The PKCS#11 PIN can be directly introduced in the LoginUser parameter, but this will be stored in plain text in the command history.