3.4.9.2 Generate the M-HSM Private Keys

  1. Open the command prompt as an administrator and change directory to C:\Microsemi\Tools.
  2. Create the SEE Key for encryption using the M-HSMGenImp utility:

    M-HSMGenImp -p g4cmsee -g -c <key_signer_hash> -n g4cm-seesk-<M_HSM_UUID> M_HSM_UUID: Microchip-assigned UUID

    The "-c" flag must be used as shown in this example. It corresponds to the userdata-signer key installed during the installation of the SEE Integ key (see section Install the SEE Integ Key).

    The following figure shows a sample:

    Figure 3-13. Creating SEE Key for Encryption and Decryption

    The created key is stored in the Security World directory as follows (with the highlighted part corresponding to the Manufacturer UUID):

    key_simple_g4cm-seesk-0000000000000000000000000000000000000002

    Once the key is generated, it must be set up in both M-HSMMaster.config files, in the Server and Tools directories, as described in section Update Server and Tools Configuration File.

  3. Create the SEE Key for signing using the M-HSMGenImp utility:

    M-HSMGenImp -p g4cmsee -g -c <key_signer_hash> -n g4cm-seessk-<M_HSM_UUID> -S

    All of the parameters are same as in step 2 with the exception of name (that is, seessk vs. seesk) and a flag. The "-S" flag corresponds to generating the key for the signing operation instead of for encryption.

    The following figure shows a sample.

    Figure 3-14. Creating SEE Key for Signing and Verifying

    The created key is stored in the Security World directory as follows (with the highlighted part corresponding to the Manufacturer UUID):

    key_simple_g4cm-seessk-0000000000000000000000000000000000000002