Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

ID 683453
Date 3/06/2020
Public
Document Table of Contents

3.5.1. OpenSSL Key Creation

When using OpenSSL, create a private key and then create the corresponding public key. The PACSign OpenSSL manager requires specific tags in the key file names using a format: key_<image_type>_<key_type>_<key_visibility>_key.pem.
Table 4.  PACSign OpenSSL Manager Key File Name Requirements
Filename Tag Options Description
image_type
  • pr
  • sr
Identifies image type, partial reconfiguration or static region, for which the key is intended.
  • For Intel® PAC with Intel® Arria® 10 GX FPGA, use; key_pr_<key_type>_<key_section>_key.pem
key_type
  • root
  • csk<x>
Identifies key type. <x> specifies an ID that you use for cancellation.
  • Example: key_pr_csk12_private_key.pem
key_visibility
  • public
  • private
Identifies the key visibility.

The following example creates a root key and two code signing keys using OpenSSL.

  1. Create the root private key:
    [PACSign_Demo]$ openssl ecparam -name secp256r1 -genkey -noout \
    -out key_pr_root_private_key.pem
    Output:
    using curve name prime256v1 instead of secp256r1
  2. Create the root public key:
    [PACSign_Demo]$ openssl ec -in key_pr_root_private_key.pem -pubout \
    -out key_pr_root_public_key.pem
    Output:
    read EC key
    writing EC key
  3. Create private CSK1:
    [PACSign_Demo]$ openssl ecparam -name secp256r1 -genkey -noout \
    -out key_pr_csk1_private_key.pem
    Output:
    using curve name prime256v1 instead of secp256r1
  4. Create public CSK1:
    [PACSign_Demo]$ openssl ec -in key_pr_csk1_private_key.pem -pubout \
    -out key_pr_csk1_public_key.pem
    Output:
    read EC key
    writing EC key
  5. Create private CSK2:
    [PACSign_Demo]$ openssl ecparam -name secp256r1 -genkey -noout \
    -out key_pr_csk2_private_key.pem
    Output:
    using curve name prime256v1 instead of secp256r1
  6. Create public CSK2:
    [PACSign_Demo]$ openssl ec -in key_pr_csk2_private_key.pem -pubout \
    -out key_pr_csk2_public_key.pem
    Output:
    read EC key
    writing EC key