| ADD_KEY(1) | i.MX CST Documentation | ADD_KEY(1) |
NAME¶
add_key - add new keys to an existing PKI tree for secure boot on NXP i.MX processors
SYNOPSIS¶
- Interactive mode
- add_key
- Non-interactive mode
- add_key -ver hab_version -key-name name -kt algo -kl param [-md algo] -duration years -srk yn [-srk-ca yn] -signing-key name -signing-crt name
NOTE¶
This manpage is a short description of NXP add_key. For a detailed discussion refer to the Code Signing Tool User Guide UG10106, section 4.1.5. The user guide can be obtained from www.nxp.com and is excluded from Debian for copyright reasons.
DESCRIPTION¶
add_key adds an SRK or CSF/IMG/SGK key to an existing PKI tree that has previously been created with ahab_pki_tree or hab4_pki_tree in crts and keys sub directories.
The directories are expected in the current working directory.
If no arguments are provided, the command starts in interactive mode and will prompt for options.
OPTIONS¶
- -ver hab_version
- The HAB version of the PKI tree. One of 4 for HAB4, or a for AHAB.
- -key-name name
- Name of the key to be generated.
- -kt algo
- Public key algorithm to use. One of rsa, rsa-pss, ecc.
- -kl param
- For algo ecc, one of p256, p384, p521.
For algo rsa and rsa-pss, the key length in bits. One of 2048, 3072, 4096.
- -md algo
- The hash function to use.
This option is only valid for hab_version a and can be one of sha256, sha384, sha512.
For hab_version 4, hash function is fixed to sha256.
- -duration years
- Validity period of the generated certificate in years.
- -srk yn
- y to generate a new SRK key, or n to generate a CSF/IMG/SGK key.
- -srk-ca yn
- y to generate SRK certificates where the CA flag is set. Such SRK
certificates can be used to issue other certificates.
n to generate a user certificates.
- -signing-key file
- Path to existing signing key in PEM or DER encoding. If -srk was y, file must specify the CA key. If -srk was n, file must specify the SRK.
- -signing-cert file
- Path to existing signing certificate. If -srk was y, file must specify the CA certificate. If -srk was n, file must specify the SRK certificate.
- --help
- Print help text.
EXAMPLES¶
As starting point, generate a PKI tree with two SRKs. This must be done in a directory where the current user has write permissions.
hab4_pki_tree -existing-ca n -kt rsa -kl 4096 -duration 5 -num-srk 2 -srk-ca y
Then, to add a new SRK to the PKI tree
add_key -ver 4 -key-name SRK3 -kt rsa -kl 4096 -duration 5 -srk y -srk-ca y -signing-key keys/CA1_sha256_4096_65537_v3_ca_key.pem -signing-crt crts/CA1_sha256_4096_65537_v3_ca_crt.pem
SEE ALSO¶
| 2026-01-30 |