Usage notes

The usage notes for CSNDT34B.

The TR-34 Bind-Begin verb is used to perform these operations:
  • BINDCR: The TR34 BIND token (CT-KDH) CREATE service.
    • CT-KRD: (INPUT, input_token). Credential token received from KRD, containing Cred-KRD.
    • CRL-CA: (INPUT, crl). Certificate Revocation List from CA.
    • CredKDH: (INPUT, cred_kdh). KDH credential (X.509 certificate) with ID and public key.
    • CredKRD: (OUTPUT, cred_krd). (X.509 certificate) needed for future key distribution calls.
    • CT-KDH: (OUTPUT, output_token). BIND token in DER format.
  • UNBINDCR: The TR34 UNBIND token (UBT-KDH) CREATE service.
    • RT-KRD: (INPUT, input_token). Random number token received from KRD.
    • CRL-CA: (INPUT, crl). Certificate Revocation List from CA.
    • CredKDH: (INPUT, cred_kdh). KDH credential (X.509 certificate) with ID and public key.
    • CredKRD: (INPUT, cred_krd). KRD credential (X.509 certificate) with ID and public key.
    • D-kdh: (INPUT, private_key_identifier). Private key to sign data block.
    • UBT-KDH: (OUTPUT, output_token) UNBIND token in DER format.
  • REBINDCR: The TR34 REBIND token (RBTKDH) CREATE service.
    • RT-KRD: (INPUT, input_token). Random number token received from KRD.
    • CRL-CA: (INPUT, crl). Certificate Revocation List from CA.
    • CredKDH-new: (INPUT, cred_kdh). New KDH credential (X.509 certificate) with ID and public key.
    • CredKDH-old: (INPUT, old_cred_kdh). Old KDH credential (X.509 certificate) with ID and public key.
    • CredKRD: (INPUT, cred_krd). KRD credential (X.509 certificate) with ID and public key.
    • D-kdh: (INPUT, private_key_identifier). Old private key, needed to sign the REBIND data block.
    • RBT-KDH: (OUTPUT, output_token) REBIND token in DER format.
Notes:
  1. This verb supports PCI-HSM 2016 compliant-tagged key tokens.
  2. The RT-KRD token can be created with correct formatting using the RT-KRD processing of the CSNBRNGL service. See Random Number Generate Long (CSNBRNGL) for more details.
  3. RSA 2048 bit and 3072 bit keys are supported by CCA. This allows strength equivalent to an AES 128-bit key. TR-34 explicitly supports only RSA 2048-bit keys. So some vendors only support that key size.