NAME¶

ahab_pki_tree, hab4_pki_tree - generate a basic PKI tree for secure boot on NXP i.MX processors

SYNOPSIS¶

AHAB: ahab_pki_tree -existing-ca yn [-ca-key name -ca-cert name] -kt algo -kl param -duration years -num-srk nr -srk-ca yn [--help]
HABv4: hab4_pki_tree -existing-ca yn [-ca-key name -ca-cert name] -kt algo -kl param -duration years -num-srk nr -srk-ca yn [--help]

NOTE¶

This manpage is a short description of NXP ahab_pki_tree and hab4_pki_tree. For a detailed discussion refer to the Code Signing Tool User Guide UG10106, section 4.1.1. The user guide can be obtained from www.nxp.com and is excluded from Debian for copyright reasons.

DESCRIPTION¶

ahab_pki_tree and hab4_pki_tree generate a basic PKI tree. The PKI tree consists of a Certificate Authority (CA) and one or more Super Root Keys (SRK). With the ahab variant, each SRK has one subordinate Signing Key (SGK). The hab4 variant creates one subordinate Command Sequence File (CSF) key and one image (IMG) key for each SRK. Additional keys can later be added with the add_key tool.

Following files and directories relative to the current working directory are expected or are created if not existing.

crts

Directory where X.509 public key certificates for CA, SRK, SGK, CSF and IMG are searched and created. All certificates are in PEM and DER format.

The naming convention is name.pem, where name refers to the argument supplied with -ca-cert name and -ca-key name.

keys

Directory where private keys corresponding to the certificates in crts are searched and created. All keys are in PKCS #8 syntax and are encoded to PEM and DER format.

keys/key_pass.txt

Text file containing a password to protect private keys. The password is repeated twice, for example

  my_password
  my_password

The same password is used for all private keys. Default password is "test".

The tools will load general settings from the system wide OpenSSL configuration file.

OPTIONS¶

-existing-ca yn: y to use an existing CA key, or n to generate CA key and certificate from scratch. If y, the -ca-key and -ca-cert options must be specified.
-ca-key name: If -existing-ca was y, this option specifies the existing CA key.
-ca-cert name: If -existing-ca was y, this option specifies the existing CA certificate.
-kt algo: Public key algorithm to use. One of rsa, rsa-pss, ecc.
-kl param: For algo ecc, one of p256, p384, p521.
For algo rsa and rsa-pss, one of 2048, 3072, 4096.
-duration years: Validity period of the PKI tree in years.
-num-srk nr: Number of SRKs to generate. Must be between 1 and 4.
-srk-ca yn: y to generate SRK certificates with the CA flag set. Such SRK certificates can be used to issue other certificates.
n to generate user certificates.
--help: Print help text.

EXAMPLES¶

To generate a HAB4 PKI tree with two SRKs

  hab4_pki_tree -existing-ca n -kt rsa -kl 4096 -duration 5 -num-srk 2 -srk-ca y

Source file:	hab4_pki_tree.1.en.gz (from imx-code-signing-tool 4.0.1+dfsg-1)
Source last updated:	2026-01-30T00:59:31Z
Converted to HTML:	2026-02-01T02:44:34Z