Standard keypair commands
This section covers commands that you use in SMCTL to manage keypairs. These commands are: describe, generate, list, import, suspend, unsuspend, update, update access, manage keypair profiles, and generate certificate with keypair. Use flags to specify command parameters.
Commands
To view keypair commands, run:
smctl keypair --help
or
smctl kp -h
Subcommands
Keypair commands begin with:
smctl keypair <subcommand>
The keypair commands support these flags:
Shortcut | Subcommand | Description |
---|---|---|
desc | Describe a keypair. | |
gen | Generate a keypair. | |
gen-cert | Generate a certificate for an existing keypair. | |
ls | List keypairs. | |
Import a keypair. | ||
List or describe a keypair profile. | ||
Refresh a dynamic keypair and the default certificate (if one exists). | ||
Rotate the keypair for the provided key rotation. | ||
Set keypair status to offline. | ||
Set keypair status to online. | ||
Update a keypair. | ||
Updates access to a keypair. | ||
-h | --help | Help for managing keypairs. |
Describe keypair
Use this command to identify the following information about a specific keypair:
Keypair ID
Keypair alias
Key algorithm
Key size
Key curve
Keypair status
Keypair type
Keypair category
Key storage
Public key
Access
Users who have access to keypair
Associated team
Dynamic key ID
Command
Describe keypair commands begin with:
smctl keypair describe
or
smctl kp desc
Flags
Describe keypair commands supports these flag:
Shortcut | Flag | Description |
---|---|---|
--account-id string | Account ID for the user. Format: --account-id="<account ID>" | |
-h | --help | Help for describing a keypair. |
Example
Description: Describe the keypair for the provided keypair ID.
Command:
smctl keypair describe <keypair id>
Command sample:
smctl kp desc 54868080-c4fb-4ea8-99cc-490329a1953e
Command output
Keypair ID: 54868080-c4fb-4ea8-99cc-490329a1953e Keypair alias: kp-1 Key algorithm: RSA - 4096 Key size: 4096 Key curve: Keypair status: ONLINE Keypair type: STATIC Keypair category: PRODUCTION Key storage: DISK Public key: MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzXNVPI+mg7EIs81FGRtbV3fJNA8r0u9VBuxejGV3bux/bQVa/Wo98RoEC99Q1M/gTINkmCNA+vj3XhknOV5RdxmWYVEuhOyD80NRzzd57/W/p8jnfy1BQ+SR9pyRv69m7UmvfHi7iEPHVmwK2rs86MEdqLIRMwySKFJu3hS2Zx4gvhNASEmSAC2iRVneqM1ef+3N8ZR/8aAxgwGtE1c+ozpiZHEfqpe7Nt0rz40DYnQtmXUPC1PGHETixyIZS27m1rPzKd6AJvGs30akMO6ea3X5lYtM7Mg/B+PCT+HmxiVU+CH5NmwQqvjWyBSMgc9E1klShdXsKnOzcHFeWKnu0OdV0x21ernbejb37c/7YGzlNWOiVovx0jDJhzca9wfw0ZT/4hJ75DPe5eet9SeFf3y1hPxIVFicyg0FXMD2LuEXOGg5I3qRD6nhfZMqXzgsCUd/Ia0YxG/2WDo66n6dtkrOyTu6L4CEc61AwWuUXxpS2G8Ermow8Md5uHPQjAOszGvII+ExDLsg7oqOtgxHox7fkpNCLEfO9FziKw2Z80rc4boxQ6Ga4oMWjWasG/X+oPQoWJma2+M/cvYGGLqD373mxE9rx76pfsXs7SQiSI4I/ydQSxOqUuHie/DeGO4H+ta+fwK3Im3YSv3r4d45VIRkeHCiRjaa9icd1hdD2lUCAwEAAQ== Default certificate: MIIGxzCCBS+gAwIBAgIUCIPHJ2oTkxQm5dwLIVwPce60a54wDQYJKoZIhvcNAQELBQAwgZIxCzAJBgNVBAYTAklFMQ8wDQYDVQQIEwZEdWJsaW4xDzANBgNVBAcTBkR1YmxpbjEQMA4GA1UECRMHTWFpbiBTdDEOMAwGA1UEERMFOTAyMTAxGTAXBgNVBAoTEFJvY2hlIEluZHVzdHJpZXMxJDAiBgNVBAMTG1JvY2hlIEluZHVzdHJpZXMgSXNzdWluZyBDQTAeFw0yMDA5MDkxMTM1MDVaFw0yMDA5MTAxMTM1MDVaMIG/MQswCQYDVQQGEwJJRTEPMA0GA1UECBMGRHVibGluMQ8wDQYDVQQHEwZEdWJsaW4xEDAOBgNVBAkTB01haW4gU3QxDjAMBgNVBBETBTkwMjEwMRkwFwYDVQQKExBSb2NoZSBJbmR1c3RyaWVzMRUwEwYDVQQLEwxUZXN0IHNpZ25pbmcxHzAdBgNVBAsTFkZvciB0ZXN0IHB1cnBvc2VzIG9ubHkxGTAXBgNVBAMTEFJvY2hlIEluZHVzdHJpZXMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDNc1U8j6aDsQittUUZG1tXd8k0DyvS71UG7F6MZXdu7H9tBVr9aj3xGgQL31DUz+BMg2SYI0D6+PdeGSc5XlF3GZZhUS6E7IPzQ1HPN3nv9b+nyOd/LUFD5JH2nJG/r2btSa98eLuIQ8dWbArauzzowR2oshEzDJIoUm7eFLZnHiC+E0BISZIALaJFWd6ozV5/7c3xlH/xoDGDAa0TVz6jOmJkcR+ql7s23SvPjQNidC2ZdQ8LU8YcROLHIhlLbubWs/Mp3oAm8azfRqQw7p5rdfmVi0zsyD8H48JP4ebGJVT4Ifk2bBCq+NbIFIyBz0TWSVKF1ewqc7NwcV5Yqe7Q51XTHbV6udt6Nvftz/tgbOU1Y6JWi/HSMMmHNxr3B/DRlP/iEnvkM97l5631J4V/fLWE/EhUWJzKDQVcwPYu4Rc4aDkjepEPqeF9kypfOCwJR38hrRjEb/ZYOjrqfp22Ss7JO7ovgIRzrUDBa5RfGlLYbwSuajDwx3m4c9CMA6zMa8gj4TEMuyDuio62DEejHt+Sk0IsR870XOIrDZnzStzhujFDoZrigxaNZqwb9f6g9ChYmZrb4z9y9gYYuoPfvebET2vHvql+xeztJCJIjgj/J1BLE6pS4eJ78N4Y7gf61r5/ArcibdhK/evh3jlUhGR4cKJGNpr2Jx3WF0PaVQIDAQABo4IBZDCCAWAwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU+jdQEZ956wIzcnNR5l9rpwC+OEswHwYDVR0jBBgwFoAUHyS+ZZ+7p0fqnMO9HsLZn8JzDYgwDgYDVR0PAQH/BAQDAgXgMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMDBggrBgEFBQcDAjCBjQYIKwYBBQUHAQEEgYAwfjAtBggrBgEFBQcwAYYhaHR0cDovL29jc3AuZGVtby5vbmUuZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kZW1vLm9uZS5kaWdpY2VydC5jb20vUm9jaGVJbmR1c3RyaWVzSXNzdWluZ0NBLmNydDBOBgNVHR8ERzBFMEOgQaA/hj1odHRwOi8vY3JsLmRlbW8ub25lLmRpZ2ljZXJ0LmNvbS9Sb2NoZUluZHVzdHJpZXNJc3N1aW5nQ0EuY3JsMA0GCSqGSIb3DQEBCwUAA4IBgQCs/pwki7DtuMIotK0GKkB44WFtXbQ45JRZOnTTnGRuPx5Mth7Nl+3TK0G4sAjEuMRxIzCI4gXHu8se7SOpSrwlTr/r36hL72NN4OdNNOVEo4myfrRkBNaSuwfnpTdXtWCqe6VFi/TRWaXJpyjpsXdd1g6Sfj09GQ1sCLswvH7/xoGDMAPdF1P8h7WCQ/CmH2lSgHvHkbEIwR7vbJ6SmrnVOJIRkZz1rjt8SYzjhs5DISYaIyaNSnb5yJXzeyfb3c8veJIRqEE6CnYWDd7+qeCD6k5hxWZ73G5svrzbJOExdpPrn/l6S7Na6wwVul6NQDTTMDs/NLWp84BRoVFRSC6XBnqlAGlsLCqrtUgUzQVQOUhbvtJlIKt+LW4Y0D3oEpYAc9QbT0ldo6tdfpEiZ44F7ORxr7LhXOq+/dBIS8jWCIM4oEMGW3d1gsuKmiRBVBfGuvT2TsGk+WD5g3bjFbi1N2fZ1q4RuhY9zvELvv87zUkOttO3U/P5OgTbymK3to8= Access: Open Users: [] Groups: [] Restricted to team: - Dynamic key ID:
Generate keypair
Generate keypair commands begin with:
smctl keypair generate
or
smctl kp gen
Subcommands
Generate keypair commands support these subcommands:
Subcommand | Description |
---|---|
profile | Generate key using keypair profile. |
ecdsa | Generate a keypair with ECDSA algorithm. |
eddsa | Generate a keypair with EdDSA algorithm. |
rsa | Generate a keypair with RSA algorithm. |
Flags
Generate keypair commands support these flags:
Shortcut | Flag | Description |
---|---|---|
--auto-renew string | Auto-renew this certificate. | |
--cert-alias string | Specify an alias for the default certificate you want to create. | |
--generate-cert | Generate a certificate (default false). | |
--groups string | Group IDs for keypair. Format: --groups="<value>" | |
-hsm-partition-id string | Provide the HSM partition ID to specify which HSM you want the keypair to be stored on. | |
--restricted | Restricted (can only be used by users and groups that are mapped to the keypair) or open (available to all users in the account). Default is restricted. | |
--users string | User IDs for keypair. Format: --users="<value>" | |
--team-id string | Assign the keypair to a team by specifying the team ID. | |
--account-id string | Account ID for the user. Format: --account-id="<value>" | |
-h | --help | Help for generating keypairs. |
Examples
Generate a keypair
Generate a keypair when keypair profiles are not enabled on the account.
Command:
smctl keypair generate <algorithm> <keypair alias>
Command sample:
smctl keypair generate rsa keypair-alias-kp1
Generate a keypair on a specific HSM
Generate a keypair on a specific HSM.
Command:
smctl kp gen <algorithm> <keypair alias> --key-storage HSM --hsm-partition-id=<HSM ID>
Command sample:
smctl kp gen rsa keypair1 --key-storage HSM --hsm-partition-id=386425F3GD207A379FAE38426
Generate key with keypair profile ID
Generate a keypair with the specified keypair profile ID. This command is used when keypair profiles are enabled on the account.
Command:
smctl keypair generate profile <keypair alias> <keypair profile id>
Command sample:
smctl keypair generate profile kp1 6109c7ab-c47f-4a3e-a6ea-57203016d725
Generate a key and certificate with different aliases
Generate a keypair and certificate with different aliases by referencing the an alias for the certificate, keypair, and providing the certificate profile. This command is used when certificate profiles are enabled on the account.
Command:
smctl keypair generate <algorithm> <key alias> --generate-cert --cert-alias <cert alias> --cert-profile-id <cert_profile_ID>
Command sample:
smctl keypair generate rsa RSA-KP-1 --generate-cert --cert-alias CERT-1 --cert-profile-id 022df79f-e684-4788-be16-b490cbfbc46c
Generate certificate for existing keypair
Generate certificate commands begin with:
smctl keypair generate-cert
or
smctl kp gen-cert
Flags
Generate certificate commands support these flags:
Shortcut | Flag | Description |
---|---|---|
--cert-alias string | Alias for the certificate. Format: --cert-alias="<value>" | |
--cert-profile-id string | Certificate profile ID. Format: --cert-profile-id="<value>" | |
--custom-fields stringToString | Custom fields in case of CertCentral profile. Default is []. Format: --custom-fields="<value>" | |
--set-as-default-cert | Set as default certificate for keypair. If this is not set, the generated certificate becomes the default certificate. | |
--account-id string | Account ID for the user. Format: --account-id="<value>" | |
--help | Help for generate-cert with existing keypair. |
Examples
Generate a certificate
Generate a certificate by providing the keypair ID.
Command:
smctl keypair generate-cert <keypair id>
Command sample:
smctl keypair generate-cert 7747527b-6cc0-4ccf-8099-a6df1bf90bc14
Generate a key and certificate with different aliases
Generate a keypair and certificate with different aliases by referencing the an alias for the certificate, keypair, and providing the certificate profile. This command is used when certificate profiles are enabled on the account.
Command:
smctl keypair generate rsa <key alias> --generate-cert --cert-alias <cert alias> --cert-profile-id <cert_profile_ID>
Command sample:
smctl keypair generate rsa RSA-KP-1 --generate-cert --cert-alias CERT-1 --cert-profile-id 022df79f-e684-4788-be16-b490cbfbc46c
Import keypair
Import keypair commands begin with:
smctl keypair import
Flags
Import keypair commands support these flags:
Shortcut | Flag | Description |
---|---|---|
--der | .der format (default .pem) | |
-o | --offline | Import keypair in offline mode. |
--account-id string | Account ID for the user. Format: --account-id="<value>" | |
-h | --help | Help for importing a keypair. |
Example
Description: Import the keypair with the specified alias in .pem format.
Command:
smctl keypair import <keypair alias> <path to private key file>
Command sample:
smctl keypair import keypair-dynamic-alias C:\Users\Name\Desktop\keypair.pem
List keypairs
List keypair commands begin with:
smctl keypair list
or
smctl kp ls
Flags
The list keypair command supports these flags:
Shortcut | Flag | Description |
---|---|---|
-f | --filter stringToString | Use to filter by: Format: --filter="<value>" |
--page int | Page number. Default is –1, which displays all pages. | |
--size int | Page size. Default is 100. | |
--account-id string | Use to list keypairs in your non-primary account by providing the Account ID associated with your username. Format: --account-id="<account ID>" | |
-h | --help | Use to see all command options related to listing keypairs. |
Examples
List all keypairs
List all keypairs in your account. This command is useful to identify keypair aliases and IDs.
Command
smctl keypair ls
Command sample
smctl keypair ls
Command sample
ID Key Modal TYPE ALIAS ALGORITHM & SIZE/CURVE STATUS TYPE STORAGE CERTIFICATE aab2e7b8-eb69-4a6b-b02f STATIC kp-1 RSA - 3072 ONLINE PRODUCTION HSM ea84d89e-8c8a-4f20 455768c5-5e4a-47b3-8fe0 DYNAMIC kp-2 ECDSA - P384 OFFLINE TEST DISK b9f65b65-ef63-4b61
List a specific keypair
List a specific keypair by providing the keypair alias. This command is useful to identify keypair aliases and IDs.
Command:
smctl keypair ls -–filter=<keypair alias>
Command sample:
smctl keypair ls --filter alias=kp-1
Command output
ID Key Modal TYPE ALIAS ALGORITHM & SIZE/CURVE STATUS TYPE STORAGE CERTIFICATE aab2e7b8-eb69-4a6b-b02f STATIC kp-1 RSA - 3072 ONLINE PRODUCTION HSM ea84d89e-8c8a-4f20
List or describe keypair profiles
Requirements
Using keypair profiles is an account-level control.
Your account admin can permit or prohibit other users from working with keypair profiles.
You can only use this flow if you have enabled keypair profiles as a requirement for keypair generation.
You must specify the alias and algorithm at the time of generation if keypair profiles are not enabled.
Command
Keypair profile commands begin with:
smctl keypair profile
or
smctl kp profile
or
smctl keypair profiles
or
smctl keypair keypairprofile
or
smctl keypair keyprofiles
Subcommands
Keypair profile commands support these subcommands:
Shortcut | Subcommand | Description |
---|---|---|
desc | describe | Get details for a keypair profile ID. |
ls | list | List keypair profiles. |
Describe keypair profile
Describe keypair profile commands begin with:
smctl keypair profile describe
or
smctl kp profile desc
Flags
Describe keypair profile commands support these flags:
Shortcut | Flag | Description |
---|---|---|
--account-id string | Account ID for the user. Format: --account-id="<value>" | |
-h | --help | Help for keypair profiles. |
Example
Description: Describe the keypair profile with the provided keypair profile ID.
Command:
smctl keypair profiles describe <keypair profile id> <account id string>
Command sample:
smctl keypair profiles describe a609c6e6-fc89-48ff-a071-1d7001580452
List keypair profile
List keypair profile commands begin with:
smctl keypair profile list
or
smctl kp profile ls
Flags
List keypair profile commands support these flags:
Shortcut | Flag | Description |
---|---|---|
--account-id string | Account ID for the user. Format: --account-id="<value>" | |
-h | --help | Help for keypair profiles. |
Example
Description: List the keypair profile with the specified keypair profile alias.
Command:
smctl keypair profiles list -–filter name=<keypair profile alias>
Command sample:
smctl keypair profiles list -–filter name=keypair-profile-name
Suspend keypair
To switch a keypair to offline mode:
Nota
Suspend a keypair to put it in offline mode. Keypairs in offline mode cannot be used to sign unless brought online or scheduled for use via an offline release.
Suspend keypair commands begin with:
smctl keypair suspend
or
smctl kp suspend
Flags
The suspend keypair command supports these flags:
Shortcut | Flags | Description |
---|---|---|
--account-id string | Account ID for the user. Format: --account-id="<value>" | |
-h | --help | Help for suspend keypair. |
Example
Description: Switch the keypair to offline mode by referring to using keypair ID.
Command
smctl keypair suspend <keypair id>
Command sample
smctl keypair suspend a609c6e6-fc89-48ff-a071-1d7001580452
Unsuspend keypair
The unsuspend keypair command switches the keypair to online mode.
Nota
Offline keypairs cannot be used to sign unless brought online or scheduled for use via an offline release.
Unsuspend keypair commands begin with:
smctl keypair unsuspend
or
smctl kp unsuspend
Flags
The unsuspend keypair command supports these flags:
Shortcut | Flag | Description |
---|---|---|
--account-id string | Account ID for the user. Format: --account-id="<value>" | |
-h | --help | Help for unsuspend. |
Example
Describe: Switch the keypair to online mode by referring to using keypair ID.
Command:
smctl keypair unsuspend <keypair id>
Command sample:
smctl keypair unsuspend a609c6e6-fc89-48ff-a071-1d7001580452
Update keypair
Update keypair commands begin with:
smctl keypair update
or
smctl kp update
Flags
The update keypair command supports these flags:
Shortcut | Flag | Description |
---|---|---|
--alias string | Alias for the keypair. Format: --alias="<value>" | |
--default-cert-id string | Default certificate ID. Format: --default-cert-id="<value>" | |
--account-id string | Account ID for the user. Format: --account-id="<value>" | |
-h | --help | Help for update. |
Example
Describe: Change the keypair alias for the specified keypair ID.
Command:
smctl keypair update <keypair id> --alias=<new keypair alias>
Command sample:
smctl keypair update a609c6e6-fc89-48ff-a071-1d7001580452 -–alias=new-keypair-alias
Update keypair access
Update keypair access commands begin with:
smctl keypair update-access
or
smctl kp update-access
Flags
The update keypair access command supports these flags:
Shortcut | Flag | Description |
---|---|---|
--groups string | Group IDs for keypair. Format: --groups="<value>" | |
--operation string | Overwrites the keypair access with the provided input. Format: --operation="<value>" | |
--operation add | Used to add to the existing user or groups. | |
--operation remove | Used to remove the specified inputs from users or groups. | |
--restricted | Restricted or open. The default is restricted. | |
--users string | User IDs for keypair. Format: --users="<value>" | |
--account-id string | Account ID for the user. Format: --account-id="<value>" | |
-h | --help | Help for update-access. |
Examples
Description: Update keypair access for the provided keypair ID with the specified groups.
Command:
smctl keypair update-access <keypair ID> --groups <user group ID>
Command sample:
smctl keypair update-access a609c6e6-fc89-48ff-a071-1d7001580452 --groups 15cd4b2a-699c-4466-8c58-ceaee3e63583
Description: Update keypair access for the provided keypair ID to add the existing group.
Command:
smctl keypair update-access <keypair ID> --groups <user group ID> --operation <overwrite, add or remove>
Command sample:
smctl keypair update-access a609c6e6-fc89-48ff-a071-1d7001580452 --groups 7dcf0e76-362c-4410-b521-fef05b10c661 --operation add
Description: Update keypair access for the provided keypair ID to remove the existing group.
Command:
smctl keypair update-access <keypair ID> --groups <user group ID> --operation <overwrite, add or remove>
Command sample:
smctl keypair update-access a609c6e6-fc89-48ff-a071-1d7001580452 --groups 7dcf0e76-362c-4410-b521-fef05b10c661 --operation remove