Generating New Keys

Crescendo Manager allows you to generate new public-private key pairs with your tokens.

Note: The actions and options below depend on the token type and may not be available for your specific token.

Tip! Crescendo Manager allows you to generate a Secure Key Injection (SKI) Transport key for your token, enabling you to securely transfer secrets to your token.

To generate a new key pair with the selected token:

Go to the Certificates view in the left navigation pane.
Click the Generate link on the desired slot.
The Generate Key, CSR or Certificate dialog opens, with the New key generation action and the specific slot already pre-selected.

(An alternative to the Generate link is to click the Generate button in the top-right corner of the Certificates view and select New key from the Select action drop-down.)
Key Type: Select the key pair type to generate. The key pair type determines the cryptographic algorithm and key length.
Available options:
- RSA 2048 (default): 2048-bit Rivest-Shamir-Adleman key
- RSA 3072: 3072-bit Rivest-Shamir-Adleman key
- RSA 4096: 4096-bit Rivest-Shamir-Adleman key
- ECC P-256: Elliptic curve-based 256-bit key.
- ECC P-384: Elliptic curve-based 384-bit key.
Choose Key Slot: If necessary, you can select a different slot for generating the new key pair.
Available options:
- First available slot: The key will be generated in the first free slot. You can select this option if the key usage is not important.
- Authentication (9A)
- Signature (9C)
- Key Management (9D)
- Card Authentication (9E)
- First available History Slot
- SKI Transport Key RSA-3072 key uniquely bound to a specific token, used to securely transfer data to that token in compliance with the Secure Key Injection protocol.: Select this option to generate an RSA-3072 key for encrypting keys for Secure Key Injection. The Key Type field will be set to RSA 3072 automatically.
- First General-Purpose Slot
Key Name: The key name is a human-readable string used to identify the key. Use the randomly generated value or overwrite it.
Note:
Knowing the key name is useful when you need to use the key directly, such as with the Cryptography Next Generation (CNG Cryptography Next Generation. A modern cryptographic API (Application Programming Interface) introduced by Microsoft as part of Windows to replace the older CryptoAPI. It provides a flexible and extensible framework for implementing cryptographic algorithms, key storage, and secure key management and supports a wide range of cryptographic operations, including encryption, decryption, hashing, and digital signatures.) application programming interface. See the simple PowerShell example below, which opens the key for further actions.
Copy
```
[System.Security.Cryptography.CngKey]::Open($keyname, [System.Security.Cryptography.CngProvider]::MicrosoftSmartCardKeyStorageProvider)
```
Click the Generate button. The new key is now displayed in the respective slot tile.
To copy the public key, click the tile. The private key cannot be accessed or retrieved.

Actions Available With an Existing Key

Once you have a key stored on your token, you can: