E-Signing

Get started
Step 1
Step 2
Step 3
​E-Signing APIs
Overview
Signed document formats
E-Signing validator
Web Service functions
Insert sign order
Manage sign orders
Get sign order info
Signed documents
Error response
User experience
Functions
Authentication-based signing
Multi-document signing
Notification call back
eIDs
BankID (NO)
BankID (SE)
BankID on mobile (NO)
Buypass
MitID (DK)
Mobiilivarmenne (FI)
Mobile-ID
Nets One time code
Nets Passport Reader
Smart-ID
Verimi
Finnish Bank ID
Test users
Service access
KeyUtil
Operational information
Release notes
Error codes
Web Service error codes
User flow error codes
Terms and expressions
Contact us

KeyUtil

KeyUtil is a tool that can be used to generate RSA key pairs, create certificate requests and ultimately create pkcs#12 based key stores based on imported certificates.

KeyUtil tool provides a command-line interface for software based key stored using the pkcs#12 storage format. The KeyUtil tool can be downloaded here​. 

A description on how to generate a key and import a certificate:

Gener​at​​​e​​ ​​​​a key​​​

​​​​Command: keyutil keygen

Parameters:

  • dn <distinguished name>: given dn must be enclosed by double quotes if it includes spaces and be of the format shown in the example below.
  • pw <Key store password>: pw is the password that protects the private key and must be a regular passphrase.
  • keysize <key size>: keysize is the number of RSA bits. Must be 2048 or 4096.
  • keyfile <file in which to store private key>: keyfile is the file that will contain the protected private key.
  • p10file <file name>: p10file is the file name of the PKCS#10 certificate request. This is the file that shall be sent to Nets upon configuration. 

Example in Unix:

./keyutil.sh keygen -dn "CN=Customer A,O=Customer A,C=NO" –pw password -keysize 2048 –keyfile customerA.key -p10file customerA.p10

Example in dos:

# keyutil keygen -dn "CN=Merchant A,O=Merchant A,C=NO" -pw password -keysize 2048 –keyfile merchantA.key -p10file merchantA.p10

If successful, the output is a Base64 PEM encoded PKCS#10 written to the specified file while status, filenames and PKCS#10 hash is shown on the screen. The key file is created and will be deleted during certificate import.
RSA key pair successfully generated
PKCS#10 certificate request written to customerA.p10
Key file written to customerA.key


Import​​ c​​e​​​rtificate​​​​​​​​​

Command: keyutil import

Parameters:

  • pw <Key store password>: pw is the password used to protect the private key. Set during generation of the key.
  • keyfile <File in which the private key is stored>: keyfile is the file that contains the protected private key.
  • certfile <certificate file>: certfile is the (path and) name of the certificate file in DER, PEM, PKCS7 (.p7b) or Base64format.
  • ​​p12file <The pkcs#12 file to generate>: p12file is the final keysstore containing the certificate and the private key.

​Example in Unix

./keyutil.sh import -pw password –keyfile johnsmith.key –certfile johnsmith.cer –p12file johnsmith.p12​​​​

Example in dos:

# keyutil import -pw password –keyfile johnsmith.key –certfile johnsmith.cer –p12file johnsmith.p12