key generate-file

The key generate-file command exports an asymmetric key from the HSM. If the target is a private key, then the reference to the private key will be exported in fake PEM format. If the target is a public key, then the public key bytes will be exported in PEM format.

The fake PEM file, which does not contain the actual private key material but instead references the private key in the HSM, can be used to establish SSL/TLS offloading from your web server to AWS CloudHSM. For more information, see SSL/TLS offloading.

User type

The following types of users can run this command.

• Crypto users (CUs)

Requirements

To run this command, you must be logged in as a CU.

Syntax

aws-cloudhsm > help key generate-file
Generate a key file from a key in the HSM cluster. This command does not export any private key data from the HSM

Usage: key generate-file --encoding <ENCODING> --path <PATH> --filter [<FILTER>...]

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --encoding <ENCODING>
          Encoding format for the key file

          Possible values:
          - reference-pem: PEM formatted key reference (supports private keys)
          - pem:           PEM format (supports public keys)

      --path <PATH>
          Filepath where the key file will be written

      --filter [<FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key for file generation

  -h, --help
          Print help (see a summary with '-h')

Example

This example shows how to use key generate-file to generate a key file in your AWS CloudHSM cluster.

aws-cloudhsm > key generate-file --encoding reference-pem --path /tmp/ec-private-key.pem --filter attr.label="ec-test-private-key"
{
  "error_code": 0,
  "data": {
    "message": "Successfully generated key file"
  }
}

Arguments

<CLUSTER_ID>

The ID of the cluster to run this operation on.

Required: If multiple clusters have been configured.

<FILTER>

Key reference (for example, key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key for deletion.

For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI

Required: No

<ENCODING>

Specifies the encoding format for the key file

Required: Yes

<PATH>

Specifies the file path where the key file will be written

Required: Yes

Related topics

• Key attributes for CloudHSM CLI

• Using CloudHSM CLI to filter keys

• key generate-asymmetric-pair

• key generate-symmetric