3.4.8.2 Generate the U-HSM Private Keys

  1. Open the command prompt as an administrator and change directory to C:\Microsemi\Tools.
  2. Create the SEE Key for encryption using the M-HSMGenImp utility:

    U-HSMGenImp -p g4cusee -g -c <key_signer_hash> -n g4cu-seesk-<U_HSM_UUID> U_HSM_UUID: Microchip-assigned UUID

    The "-c" flag must be used as shown in this example. It corresponds to the userdata-signer key installed during the installation of the SEE Integ key (see section Install the SEE Integ Key).

    The following figure shows a sample:

    Figure 3-14. Creating SEE Key for Encryption and Decryption

    The created key is stored in the Security World directory as follows (with the highlighted part corresponding to the customer UUID):

    key_simple_g4cu-seesk-00000000000000000000000000000001

    Once the key is generated, it must be set up in both U-HSMMaster.config files, in the Server and Tools directories, as described in section Update Server and Tools Configuration.

  3. Create the SEE Key for signing using the U-HSMGenImp utility:

    U-HSMGenImp -p g4cusee -g -c <key_signer_hash> -n g4cu-seessk-<U_HSM_UUID> -S

    All of the parameters are same as in step two with the exception of name (that is, seessk vs. seesk) and a flag. The "-S" flag corresponds to generating the key for the signing operation instead of for encryption.

    The following figure shows a sample:

    Figure 3-15. Creating SEE Key for Signing and Verifying

    The created key is stored in the Security World directory as follows (with the highlighted part corresponding to the cutomer UUID):

    key_simple_g4cu-seessk-00000000000000000000000000000001