PKA key management

You can generate RSA and ECC keys using the PKA Key Generate verb (CSNDPKG), or a comparable product from another vendor.

Figure 1. PKA key management

PKA key management

You can use the PKA Key Generate verb to generate internal and external PKA tokens. You can also generate RSA keys on another system and then import them to the cryptographic coprocessor. To input a clear RSA key, create the token with the PKA Key Token Build verb and import it using the PKA Key Import verb. To input an encrypted RSA key, use the PKA Key Import verb.

In either case, use the PKA Key Token Build verb to create a skeleton key token as input (see PKA Key Token Build (CSNDPKB)).

The PKA Key Import verb uses the clear token from the PKA Key Token Build verb or a clear or encrypted token from the CCA system to securely import the key token into operational form for the coprocessor to use. CCA does not permit the export of the imported PKA key.

The PKA Public Key Extract verb builds a public key token from a private key token.

Application RSA public and private keys can be stored in the PKA key storage file.

Verbs for PKA key management

CCA provides the following verbs for PKA key management:

  • PKA Key Generate (CSNDPKG)
  • PKA Key Import (CSNDPKI)
  • PKA Key Token Build (CSNDPKB)
  • PKA Key Token Change (CSNDKTC)
  • PKA Key Translate (CSNDPKT)
  • PKA Public Key Extract (CSNDPKX)
  • Remote Key Export (CSNDRKX)
  • Trusted Block Create (CSNDTBC)