To generate a VA key pair, run the evactl create-key command in any Entrust PKI Hub node. The command will output a CSR that you can use to generate the VA certificate – for example:
$ sudo evactl create-key -k RSA2048 -s "CN=OCSP Server" -o /tmp/certreq.txt -t mytoken -v thalesCreated key with id 4a00a4617d1afd5ad626955132dd0d396a69ed24CSR:-----BEGIN CERTIFICATE REQUEST-----MIICqDCCAZACAQAwMzExMC8GA1UEAxMoNGEwMGE0NjE3ZDFhZmQ1YWQ2MjY5NTUx…etTv+pac+nJKW8fw-----END CERTIFICATE REQUEST-----As explained in evactl create-csr, you can create a certificate request for a key that already exists on the HSM.