Hello:
I could not find any documentation on creating DKEK Key Domain workflows, so I experimented with what I believed was the correct approach in SmartCard Shell (v3.18.61).
I am looking for feedback, in case I may have missed something.
For my initial use case: creating an EC root private key for an external CA and backing up the private key.
- Initialize the token
- Choose “Key Domains”
- Enter one or more Key Domains to create
- Authenticate with the User PIN
- Choose a key domain and create a DKEK Key Domain from its context options
- Choose several DKEK shares to use
- Optionally give the KEY Domain a label
- Create a DKEK share file from the token’s context options
- Choose “DKEK Share as File”
- Enter a password and confirm it for the DKEK share
- From the Key Domain context options, choose “Import DKEK Share”
- Choose “Import DKEK Share from File”
- Choose the file generated from step 4
- Enter the password from step 4
- From the Key Domain’s context options, choose “Generate ECC key”
- Choose a curve
- Provide a label for the key
- Accept the Key Reference
- Choose required algorithms (ECDSA_SHA384, DEFAULT_SIGN) plus WRAP
- On the newly created key’s context window, choose Wrap Key (and Certificate)
- Choose a file name for the DKEK wrapped private key/certificate
To create additional keys within a Key Domain, repeat steps 6 and 7.
To create additional Key Domains with DKEK shares, repeat 2 through 7.
Thanks for your input