To generate the timestamping key pair, run the tsactl create-key command in any Entrust PKI Hub node. The command will output a CSR that you can use to generate the certificate – for example:
$ sudo tsactl create-key -k RSA2048 -s "CN=TSA" -o /tmp/certreq.txt -t mytoken -v thalesCreated key with id 4a00a4617d1afd5ad626955132dd0d396a69ed24CSR:-----BEGIN CERTIFICATE REQUEST-----MIICqDCCAZACAQAwMzExMC8GA1UEAxMoNGEwMGE0NjE3ZDFhZmQ1YWQ2MjY5NTUx…etTv+pac+nJKW8fw-----END CERTIFICATE REQUEST-----As explained in tsactl create-csr you can create a certificate request for a key that already exists on the HSM.