crypto-import

This command uses an input file to create a certificate or a key. For a key, the crypto file is created on the HSM.

Syntax

Create a certificate
crypto-import cert name input file
Create a key on an HSM-enabled appliance
crypto-import key name input file [password-alias alias]
crypto-import key name input file [password password]

Parameters

key name
The name of the key to create.
cert name
The name of the certificate to create.
input file
The name and location of the file to import.
password password
The password that encrypted the input file. This parameter is mutually exclusive to the password-alias parameter.
password-alias alias
The password alias that encrypted the input file. This parameter is mutually exclusive to the password parameter.

Guidelines

The crypto-import command uses an input file to create a certificate or a key. For a key, the crypto file is created on the HSM. The following scenarios are available for keys.
  • Import a key that is in the temporary: directory. In this case, the key might be password-protected and requires the password parameter.
  • Import a key that is exported with the crypto-export command from the HSM with the key-wrapping key. In this case, the key file is wrapped with the key-wrapping key and a password is never used. The key-wrapping key must be cloned with the hsm-clone-kwk command on the appliance.

The export and import of private keys are constrained to its application domain. In other words, the DataPower® domain of the export must be the same application domain for the import. For example, if the export is from the myDomain1 domain, you must be in the myDomain1 domain on another appliance to import it.

Examples

  • Create the bob certificate from the exportBob.xml export package in the temporary directory.
    # crypto-import cert bob input temporary:///exportBob.xml
  • Create the bobKey private key on the HSM from the bobKey.pem file in the temporary directory. The key file is password-protected. The password is provided as an argument. You can later export the private key from the HSM with the HSM key-wrapping key method.
    # crypto-import key bobKey input temporary:///bobKey.pem password pass1word2
  • Create the bobHSMKey key on the HSM from the exportBobHSMKey.xml package in the temporary directory. The package was exported from another HSM-equipped appliance with the key-wrapping key. No password argument is used to import a key that was exported from an HSM.
    # crypto-import key bobHSMKey input temporary:///exportBobHSMKey.xml