AWS Tools for Windows PowerShell
Command Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Synopsis

Calls the Payment Cryptography Control Plane ImportKey API operation.

Syntax

Import-PAYCCKey
-DiffieHellmanTr31KeyBlock_CertificateAuthorityPublicKeyIdentifier <String>
-Tr34KeyBlock_CertificateAuthorityPublicKeyIdentifier <String>
-TrustedCertificatePublicKey_CertificateAuthorityPublicKeyIdentifier <String>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Decrypt <Boolean>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Decrypt <Boolean>
-KeyModesOfUse_Decrypt <Boolean>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_DeriveKey <Boolean>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_DeriveKey <Boolean>
-KeyModesOfUse_DeriveKey <Boolean>
-DiffieHellmanTr31KeyBlock_DeriveKeyAlgorithm <SymmetricKeyAlgorithm>
-Enabled <Boolean>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Encrypt <Boolean>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Encrypt <Boolean>
-KeyModesOfUse_Encrypt <Boolean>
-KeyCryptogram_Exportable <Boolean>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Generate <Boolean>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Generate <Boolean>
-KeyModesOfUse_Generate <Boolean>
-KeyCryptogram_ImportToken <String>
-Tr34KeyBlock_ImportToken <String>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyAlgorithm <KeyAlgorithm>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyAlgorithm <KeyAlgorithm>
-KeyAttributes_KeyAlgorithm <KeyAlgorithm>
-Tr34KeyBlock_KeyBlockFormat <Tr34KeyBlockFormat>
-KeyCheckValueAlgorithm <KeyCheckValueAlgorithm>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyClass <KeyClass>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyClass <KeyClass>
-KeyAttributes_KeyClass <KeyClass>
-DiffieHellmanTr31KeyBlock_KeyDerivationFunction <KeyDerivationFunction>
-DiffieHellmanTr31KeyBlock_KeyDerivationHashAlgorithm <KeyDerivationHashAlgorithm>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyUsage <KeyUsage>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyUsage <KeyUsage>
-KeyAttributes_KeyUsage <KeyUsage>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_NoRestrictions <Boolean>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_NoRestrictions <Boolean>
-KeyModesOfUse_NoRestriction <Boolean>
-DiffieHellmanTr31KeyBlock_PrivateKeyIdentifier <String>
-DiffieHellmanTr31KeyBlock_PublicKeyCertificate <String>
-RootCertificatePublicKey_PublicKeyCertificate <String>
-TrustedCertificatePublicKey_PublicKeyCertificate <String>
-Tr34KeyBlock_RandomNonce <String>
-ReplicationRegion <String[]>
-DerivationData_SharedInformation <String>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Sign <Boolean>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Sign <Boolean>
-KeyModesOfUse_Sign <Boolean>
-Tr34KeyBlock_SigningKeyCertificate <String>
-Tag <Tag[]>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Unwrap <Boolean>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Unwrap <Boolean>
-KeyModesOfUse_Unwrap <Boolean>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Verify <Boolean>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Verify <Boolean>
-KeyModesOfUse_Verify <Boolean>
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Wrap <Boolean>
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Wrap <Boolean>
-KeyModesOfUse_Wrap <Boolean>
-DiffieHellmanTr31KeyBlock_WrappedKeyBlock <String>
-Tr31KeyBlock_WrappedKeyBlock <String>
-Tr34KeyBlock_WrappedKeyBlock <String>
-KeyCryptogram_WrappedKeyCryptogram <String>
-Tr34KeyBlock_WrappingKeyCertificate <String>
-Tr31KeyBlock_WrappingKeyIdentifier <String>
-Tr34KeyBlock_WrappingKeyIdentifier <String>
-KeyCryptogram_WrappingSpec <WrappingKeySpec>
-Select <String>
-Force <SwitchParameter>
-ClientConfig <AmazonPaymentCryptographyConfig>

Description

Imports symmetric keys and public key certificates in PEM format (base64 encoded) into Amazon Web Services Payment Cryptography. Amazon Web Services Payment Cryptography simplifies key exchange by replacing the existing paper-based approach with a modern electronic approach. With ImportKey you can import symmetric keys using either symmetric and asymmetric key exchange mechanisms. For symmetric key exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 norm, RSA unwrap, and ECDH (Elliptic Curve Diffie-Hellman) key exchange mechanisms. Asymmetric key exchange methods are typically used to establish bi-directional trust between the two parties exhanging keys and are used for initial key exchange such as Key Encryption Key (KEK) or Zone Master Key (ZMK). After which you can import working keys using symmetric method to perform various cryptographic operations within Amazon Web Services Payment Cryptography. PCI requires specific minimum key strength of wrapping keys used to protect the keys being exchanged electronically. These requirements can change when PCI standards are revised. The rules specify that wrapping keys used for transport must be at least as strong as the key being protected. For more information on recommended key strength of wrapping keys and key exchange mechanism, see Importing and exporting keys in the Amazon Web Services Payment Cryptography User Guide. You can also import a root public key certificate, used to sign other public key certificates, or a trusted public key certificate under an already established root public key certificate. To import a public root key certificate Using this operation, you can import the public component (in PEM cerificate format) of your private root key. You can use the imported public root key certificate for digital signatures, for example signing wrapping key or signing key in TR-34, within your Amazon Web Services Payment Cryptography account. Set the following parameters:
  • KeyMaterial: RootCertificatePublicKey
  • KeyClass: PUBLIC_KEY
  • KeyModesOfUse: Verify
  • KeyUsage: TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE
  • PublicKeyCertificate: The public key certificate in PEM format (base64 encoded) of the private root key under import.
To import a trusted public key certificate The root public key certificate must be in place and operational before you import a trusted public key certificate. Set the following parameters:
  • KeyMaterial: TrustedCertificatePublicKey
  • CertificateAuthorityPublicKeyIdentifier: KeyArn of the RootCertificatePublicKey.
  • KeyModesOfUse and KeyUsage: Corresponding to the cryptographic operations such as wrap, sign, or encrypt that you will allow the trusted public key certificate to perform.
  • PublicKeyCertificate: The trusted public key certificate in PEM format (base64 encoded) under import.
To import initial keys (KEK or ZMK or similar) using TR-34 Using this operation, you can import initial key using TR-34 asymmetric key exchange. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Device (KRD). During the key import process, KDH is the user who initiates the key import and KRD is Amazon Web Services Payment Cryptography who receives the key. To initiate TR-34 key import, the KDH must obtain an import token by calling GetParametersForImport. This operation generates an encryption keypair for the purpose of key import, signs the key and returns back the wrapping key certificate (also known as KRD wrapping certificate) and the root certificate chain. The KDH must trust and install the KRD wrapping certificate on its HSM and use it to encrypt (wrap) the KDH key during TR-34 WrappedKeyBlock generation. The import token and associated KRD wrapping certificate expires after 30 days. Next the KDH generates a key pair for the purpose of signing the encrypted KDH key and provides the public certificate of the signing key to Amazon Web Services Payment Cryptography. The KDH will also need to import the root certificate chain of the KDH signing certificate by calling ImportKey for RootCertificatePublicKey. For more information on TR-34 key import, see section Importing symmetric keys in the Amazon Web Services Payment Cryptography User Guide. Set the following parameters:
  • KeyMaterial: Use Tr34KeyBlock parameters.
  • CertificateAuthorityPublicKeyIdentifier: The KeyARN of the certificate chain that signed the KDH signing key certificate.
  • ImportToken: Obtained from KRD by calling GetParametersForImport.
  • WrappedKeyBlock: The TR-34 wrapped key material from KDH. It contains the KDH key under import, wrapped with KRD wrapping certificate and signed by KDH signing private key. This TR-34 key block is typically generated by the KDH Hardware Security Module (HSM) outside of Amazon Web Services Payment Cryptography.
  • SigningKeyCertificate: The public key certificate in PEM format (base64 encoded) of the KDH signing key generated under the root certificate (CertificateAuthorityPublicKeyIdentifier) imported in Amazon Web Services Payment Cryptography.
To import initial keys (KEK or ZMK or similar) using RSA Wrap and Unwrap Using this operation, you can import initial key using asymmetric RSA wrap and unwrap key exchange method. To initiate import, call GetParametersForImport with KeyMaterial set to KEY_CRYPTOGRAM to generate an import token. This operation also generates an encryption keypair for the purpose of key import, signs the key and returns back the wrapping key certificate in PEM format (base64 encoded) and its root certificate chain. The import token and associated KRD wrapping certificate expires after 30 days. You must trust and install the wrapping certificate and its certificate chain on the sending HSM and use it to wrap the key under export for WrappedKeyCryptogram generation. Next call ImportKey with KeyMaterial set to KEY_CRYPTOGRAM and provide the ImportToken and KeyAttributes for the key under import. To import working keys using TR-31 Amazon Web Services Payment Cryptography uses TR-31 symmetric key exchange norm to import working keys. A KEK must be established within Amazon Web Services Payment Cryptography by using TR-34 key import or by using CreateKey. To initiate a TR-31 key import, set the following parameters:
  • KeyMaterial: Use Tr31KeyBlock parameters.
  • WrappedKeyBlock: The TR-31 wrapped key material. It contains the key under import, encrypted using KEK. The TR-31 key block is typically generated by a HSM outside of Amazon Web Services Payment Cryptography.
  • WrappingKeyIdentifier: The KeyArn of the KEK that Amazon Web Services Payment Cryptography uses to decrypt or unwrap the key under import.
To import working keys using ECDH You can also use ECDH key agreement to import working keys as a TR-31 keyblock, where the wrapping key is an ECDH derived key. To initiate a TR-31 key import using ECDH, both sides must create an ECC key pair with key usage K3 and exchange public key certificates. In Amazon Web Services Payment Cryptography, you can do this by calling CreateKey and then GetPublicKeyCertificate to retrieve its public key certificate. Next, you can then generate a TR-31 WrappedKeyBlock using your own ECC key pair, the public certificate of the service's ECC key pair, and the key derivation parameters including key derivation function, hash algorithm, derivation data, and key algorithm. If you have not already done so, you must import the CA chain that issued the receiving public key certificate by calling ImportKey with input RootCertificatePublicKey for root CA or TrustedPublicKey for intermediate CA. To complete the TR-31 key import, you can use the following parameters. It is important that the ECDH key derivation parameters you use should match those used during import to derive the same shared wrapping key within Amazon Web Services Payment Cryptography.
  • KeyMaterial: Use DiffieHellmanTr31KeyBlock parameters.
  • PrivateKeyIdentifier: The KeyArn of the ECC key pair created within Amazon Web Services Payment Cryptography to derive a shared KEK.
  • PublicKeyCertificate: The public key certificate of the receiving ECC key pair in PEM format (base64 encoded) to derive a shared KEK.
  • CertificateAuthorityPublicKeyIdentifier: The keyARN of the CA that signed the public key certificate of the receiving ECC key pair.
Cross-account use: This operation can't be used across different Amazon Web Services accounts. Related operations:

Parameters

-ClientConfig <AmazonPaymentCryptographyConfig>
Amazon.PowerShell.Cmdlets.PAYCC.AmazonPaymentCryptographyClientCmdlet.ClientConfig
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-DerivationData_SharedInformation <String>
A string containing information that binds the ECDH derived key to the two parties involved or to the context of the key.It may include details like identities of the two parties deriving the key, context of the operation, session IDs, and optionally a nonce. It must not contain zero bytes. It is not recommended to reuse shared information for multiple ECDH key derivations, as it could result in derived key material being the same across different derivations.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_DiffieHellmanTr31KeyBlock_DerivationData_SharedInformation
-DiffieHellmanTr31KeyBlock_CertificateAuthorityPublicKeyIdentifier <String>
The keyARN of the CA that signed the PublicKeyCertificate for the client's receiving ECC key pair.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_DiffieHellmanTr31KeyBlock_CertificateAuthorityPublicKeyIdentifier
-DiffieHellmanTr31KeyBlock_DeriveKeyAlgorithm <SymmetricKeyAlgorithm>
The key algorithm of the shared derived ECDH key.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_DiffieHellmanTr31KeyBlock_DeriveKeyAlgorithm
-DiffieHellmanTr31KeyBlock_KeyDerivationFunction <KeyDerivationFunction>
The key derivation function to use when deriving a key using ECDH.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_DiffieHellmanTr31KeyBlock_KeyDerivationFunction
-DiffieHellmanTr31KeyBlock_KeyDerivationHashAlgorithm <KeyDerivationHashAlgorithm>
The hash type to use when deriving a key using ECDH.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_DiffieHellmanTr31KeyBlock_KeyDerivationHashAlgorithm
-DiffieHellmanTr31KeyBlock_PrivateKeyIdentifier <String>
The keyARN of the asymmetric ECC key created within Amazon Web Services Payment Cryptography.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_DiffieHellmanTr31KeyBlock_PrivateKeyIdentifier
-DiffieHellmanTr31KeyBlock_PublicKeyCertificate <String>
The public key certificate of the client's receiving ECC key pair, in PEM format (base64 encoded), to use for ECDH key derivation.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_DiffieHellmanTr31KeyBlock_PublicKeyCertificate
-DiffieHellmanTr31KeyBlock_WrappedKeyBlock <String>
The ECDH wrapped key block to import.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_DiffieHellmanTr31KeyBlock_WrappedKeyBlock
-Enabled <Boolean>
Specifies whether import key is enabled.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-Force <SwitchParameter>
This parameter overrides confirmation prompts to force the cmdlet to continue its operation. This parameter should always be used with caution.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyAttributes_KeyAlgorithm <KeyAlgorithm>
The key algorithm to be use during creation of an Amazon Web Services Payment Cryptography key.For symmetric keys, Amazon Web Services Payment Cryptography supports AES and TDES algorithms. For asymmetric keys, Amazon Web Services Payment Cryptography supports RSA and ECC_NIST algorithms.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyAlgorithm
-KeyAttributes_KeyClass <KeyClass>
The type of Amazon Web Services Payment Cryptography key to create, which determines the classification of the cryptographic method and whether Amazon Web Services Payment Cryptography key contains a symmetric key or an asymmetric key pair.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyClass
-KeyAttributes_KeyUsage <KeyUsage>
The cryptographic usage of an Amazon Web Services Payment Cryptography key as defined in section A.5.2 of the TR-31 spec.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyUsage
-KeyCheckValueAlgorithm <KeyCheckValueAlgorithm>
The algorithm that Amazon Web Services Payment Cryptography uses to calculate the key check value (KCV). It is used to validate the key integrity.For TDES keys, the KCV is computed by encrypting 8 bytes, each with value of zero, with the key to be checked and retaining the 3 highest order bytes of the encrypted result. For AES keys, the KCV is computed using a CMAC algorithm where the input data is 16 bytes of zero and retaining the 3 highest order bytes of the encrypted result.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyCryptogram_Exportable <Boolean>
Specifies whether the key is exportable from the service.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_KeyCryptogram_Exportable
-KeyCryptogram_ImportToken <String>
The import token that initiates key import using the asymmetric RSA wrap and unwrap key exchange method into AWS Payment Cryptography. It expires after 30 days. You can use the same import token to import multiple keys to the same service account.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_KeyCryptogram_ImportToken
-KeyCryptogram_WrappedKeyCryptogram <String>
The RSA wrapped key cryptogram under import.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_KeyCryptogram_WrappedKeyCryptogram
-KeyCryptogram_WrappingSpec <WrappingKeySpec>
The wrapping spec for the wrapped key cryptogram.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_KeyCryptogram_WrappingSpec
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyAlgorithm <KeyAlgorithm>
The key algorithm to be use during creation of an Amazon Web Services Payment Cryptography key.For symmetric keys, Amazon Web Services Payment Cryptography supports AES and TDES algorithms. For asymmetric keys, Amazon Web Services Payment Cryptography supports RSA and ECC_NIST algorithms.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyClass <KeyClass>
The type of Amazon Web Services Payment Cryptography key to create, which determines the classification of the cryptographic method and whether Amazon Web Services Payment Cryptography key contains a symmetric key or an asymmetric key pair.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Decrypt <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to decrypt data.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_DeriveKey <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to derive new keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Encrypt <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to encrypt data.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Generate <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to generate and verify other card and PIN verification keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_NoRestrictions <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key has no special restrictions other than the restrictions implied by KeyUsage.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Sign <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used for signing.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Unwrap <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to unwrap other keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Verify <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to verify signatures.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyModesOfUse_Wrap <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to wrap other keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_KeyCryptogram_KeyAttributes_KeyUsage <KeyUsage>
The cryptographic usage of an Amazon Web Services Payment Cryptography key as defined in section A.5.2 of the TR-31 spec.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyAlgorithm <KeyAlgorithm>
The key algorithm to be use during creation of an Amazon Web Services Payment Cryptography key.For symmetric keys, Amazon Web Services Payment Cryptography supports AES and TDES algorithms. For asymmetric keys, Amazon Web Services Payment Cryptography supports RSA and ECC_NIST algorithms.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyClass <KeyClass>
The type of Amazon Web Services Payment Cryptography key to create, which determines the classification of the cryptographic method and whether Amazon Web Services Payment Cryptography key contains a symmetric key or an asymmetric key pair.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Decrypt <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to decrypt data.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_DeriveKey <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to derive new keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Encrypt <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to encrypt data.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Generate <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to generate and verify other card and PIN verification keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_NoRestrictions <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key has no special restrictions other than the restrictions implied by KeyUsage.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Sign <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used for signing.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Unwrap <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to unwrap other keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Verify <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to verify signatures.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyModesOfUse_Wrap <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to wrap other keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyMaterial_RootCertificatePublicKey_KeyAttributes_KeyUsage <KeyUsage>
The cryptographic usage of an Amazon Web Services Payment Cryptography key as defined in section A.5.2 of the TR-31 spec.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-KeyModesOfUse_Decrypt <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to decrypt data.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyModesOfUse_Decrypt
-KeyModesOfUse_DeriveKey <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to derive new keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyModesOfUse_DeriveKey
-KeyModesOfUse_Encrypt <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to encrypt data.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyModesOfUse_Encrypt
-KeyModesOfUse_Generate <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to generate and verify other card and PIN verification keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyModesOfUse_Generate
-KeyModesOfUse_NoRestriction <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key has no special restrictions other than the restrictions implied by KeyUsage.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyModesOfUse_NoRestrictions
-KeyModesOfUse_Sign <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used for signing.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyModesOfUse_Sign
-KeyModesOfUse_Unwrap <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to unwrap other keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyModesOfUse_Unwrap
-KeyModesOfUse_Verify <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to verify signatures.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyModesOfUse_Verify
-KeyModesOfUse_Wrap <Boolean>
Specifies whether an Amazon Web Services Payment Cryptography key can be used to wrap other keys.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_KeyAttributes_KeyModesOfUse_Wrap
-ReplicationRegion <String[]>
Starting with version 4 of the SDK this property will default to null. If no data for this property is returned from the service the property will also be null. This was changed to improve performance and allow the SDK and caller to distinguish between a property not set or a property being empty to clear out a value. To retain the previous SDK behavior set the AWSConfigs.InitializeCollections static property to true.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesReplicationRegions
-RootCertificatePublicKey_PublicKeyCertificate <String>
Parameter information for root public key certificate import.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_RootCertificatePublicKey_PublicKeyCertificate
-Select <String>
Use the -Select parameter to control the cmdlet output. The default value is 'Key'. Specifying -Select '*' will result in the cmdlet returning the whole service response (Amazon.PaymentCryptography.Model.ImportKeyResponse). Specifying the name of a property of type Amazon.PaymentCryptography.Model.ImportKeyResponse will result in that property being returned. Specifying -Select '^ParameterName' will result in the cmdlet returning the selected cmdlet parameter value.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-Tag <Tag[]>
Assigns one or more tags to the Amazon Web Services Payment Cryptography key. Use this parameter to tag a key when it is imported. To tag an existing Amazon Web Services Payment Cryptography key, use the TagResource operation.Each tag consists of a tag key and a tag value. Both the tag key and the tag value are required, but the tag value can be an empty (null) string. You can't have more than one tag on an Amazon Web Services Payment Cryptography key with the same tag key. If you specify an existing tag key with a different tag value, Amazon Web Services Payment Cryptography replaces the current tag value with the specified one.Don't include personal, confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.Tagging or untagging an Amazon Web Services Payment Cryptography key can allow or deny permission to the key. Starting with version 4 of the SDK this property will default to null. If no data for this property is returned from the service the property will also be null. This was changed to improve performance and allow the SDK and caller to distinguish between a property not set or a property being empty to clear out a value. To retain the previous SDK behavior set the AWSConfigs.InitializeCollections static property to true.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesTags
-Tr31KeyBlock_WrappedKeyBlock <String>
The TR-31 wrapped key block to import.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_Tr31KeyBlock_WrappedKeyBlock
-Tr31KeyBlock_WrappingKeyIdentifier <String>
The KeyARN of the key that will decrypt or unwrap a TR-31 key block during import.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_Tr31KeyBlock_WrappingKeyIdentifier
-Tr34KeyBlock_CertificateAuthorityPublicKeyIdentifier <String>
The KeyARN of the certificate chain that signs the signing key certificate during TR-34 key import.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_Tr34KeyBlock_CertificateAuthorityPublicKeyIdentifier
-Tr34KeyBlock_ImportToken <String>
The import token that initiates key import using the asymmetric TR-34 key exchange method into Amazon Web Services Payment Cryptography. It expires after 30 days. You can use the same import token to import multiple keys to the same service account.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_Tr34KeyBlock_ImportToken
-Tr34KeyBlock_KeyBlockFormat <Tr34KeyBlockFormat>
The key block format to use during key import. The only value allowed is X9_TR34_2012.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_Tr34KeyBlock_KeyBlockFormat
-Tr34KeyBlock_RandomNonce <String>
A random number value that is unique to the TR-34 key block generated using 2 pass. The operation will fail, if a random nonce value is not provided for a TR-34 key block generated using 2 pass.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_Tr34KeyBlock_RandomNonce
-Tr34KeyBlock_SigningKeyCertificate <String>
The public key component in PEM certificate format of the private key that signs the KDH TR-34 WrappedKeyBlock.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_Tr34KeyBlock_SigningKeyCertificate
-Tr34KeyBlock_WrappedKeyBlock <String>
The TR-34 wrapped key block to import.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_Tr34KeyBlock_WrappedKeyBlock
-Tr34KeyBlock_WrappingKeyCertificate <String>
Key Identifier used for unwrapping the import key
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_Tr34KeyBlock_WrappingKeyCertificate
-Tr34KeyBlock_WrappingKeyIdentifier <String>
Key Identifier used for unwrapping the import key
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_Tr34KeyBlock_WrappingKeyIdentifier
-TrustedCertificatePublicKey_CertificateAuthorityPublicKeyIdentifier <String>
The KeyARN of the root public key certificate or certificate chain that signs the trusted public key certificate import.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_CertificateAuthorityPublicKeyIdentifier
-TrustedCertificatePublicKey_PublicKeyCertificate <String>
Parameter information for trusted public key certificate import.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesKeyMaterial_TrustedCertificatePublicKey_PublicKeyCertificate

Common Credential and Region Parameters

-AccessKey <String>
The AWS access key for the user account. This can be a temporary access key if the corresponding session token is supplied to the -SessionToken parameter.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesAK
-Credential <AWSCredentials>
An AWSCredentials object instance containing access and secret key information, and optionally a token for session-based credentials.
Required?False
Position?Named
Accept pipeline input?True (ByValue, ByPropertyName)
-EndpointUrl <String>
The endpoint to make the call against.Note: This parameter is primarily for internal AWS use and is not required/should not be specified for normal usage. The cmdlets normally determine which endpoint to call based on the region specified to the -Region parameter or set as default in the shell (via Set-DefaultAWSRegion). Only specify this parameter if you must direct the call to a specific custom endpoint.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
-NetworkCredential <PSCredential>
Used with SAML-based authentication when ProfileName references a SAML role profile. Contains the network credentials to be supplied during authentication with the configured identity provider's endpoint. This parameter is not required if the user's default network identity can or should be used during authentication.
Required?False
Position?Named
Accept pipeline input?True (ByValue, ByPropertyName)
-ProfileLocation <String>
Used to specify the name and location of the ini-format credential file (shared with the AWS CLI and other AWS SDKs)If this optional parameter is omitted this cmdlet will search the encrypted credential file used by the AWS SDK for .NET and AWS Toolkit for Visual Studio first. If the profile is not found then the cmdlet will search in the ini-format credential file at the default location: (user's home directory)\.aws\credentials.If this parameter is specified then this cmdlet will only search the ini-format credential file at the location given.As the current folder can vary in a shell or during script execution it is advised that you use specify a fully qualified path instead of a relative path.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesAWSProfilesLocation, ProfilesLocation
-ProfileName <String>
The user-defined name of an AWS credentials or SAML-based role profile containing credential information. The profile is expected to be found in the secure credential file shared with the AWS SDK for .NET and AWS Toolkit for Visual Studio. You can also specify the name of a profile stored in the .ini-format credential file used with the AWS CLI and other AWS SDKs.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesStoredCredentials, AWSProfileName
-Region <Object>
The system name of an AWS region or an AWSRegion instance. This governs the endpoint that will be used when calling service operations. Note that the AWS resources referenced in a call are usually region-specific.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesRegionToCall
-SecretKey <String>
The AWS secret key for the user account. This can be a temporary secret key if the corresponding session token is supplied to the -SessionToken parameter.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesSK, SecretAccessKey
-SessionToken <String>
The session token if the access and secret keys are temporary session-based credentials.
Required?False
Position?Named
Accept pipeline input?True (ByPropertyName)
AliasesST

Outputs

Amazon.PaymentCryptography.Model.Key or Amazon.PaymentCryptography.Model.ImportKeyResponse
This cmdlet returns an Amazon.PaymentCryptography.Model.Key object. The service call response (type Amazon.PaymentCryptography.Model.ImportKeyResponse) can be returned by specifying '-Select *'.
AWS Tools for PowerShell User Guide

Supported Version

AWS Tools for PowerShell: 2.x.y.z