11.3. Using Different Key Settings

Generally, the key settings are applied to all keys generated for a subsystem.
... -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA  ...
However, each individual key can have its own parameters set separately, meaning each key could be of a different type, of a different size, or use different algorithms or curves. As with the certificate subject names, the types of keys that are configured differ depending on the subsystem.
Every key can be given a unique setting, or only the specified keys can be given unique settings, while all other keys use the default.
For example, this sets different settings for every key for a CA:
pkisilent ConfigureCA -cs_hostname localhost 
          -cs_port 9445 
          -subsystem_name "pki-ca2" 
          -client_certdb_dir /tmp/ 
          -client_certdb_pwd password 
          -preop_pin sYY8er834FG9793fsef7et5 
          -domain_name "testca"  
	  -signing_key_type ec
	  -signing_key_size 256
	  -signing_key_curvename nist256
	  -signing_key_signingalgorithm SHA256withEC
	  -ocsp_signing_key_type ec 
	  -ocsp_signing_key_size 256
	  -ocsp_signing_key_curvename nist256
	  -ocsp_signing_key_signingalgorithm SHA256withEC
	  -audit_signing_key_type rsa
	  -audit_signing_key_size 2048
	  -audit_signing_key_algorithm SHA256withRSA
	  -subsystem_key_type rsa
	  -subsystem_key_size  2048
	  -subsystem_key_algorithm SHA512withRSA
	  -sslserver_key_type rsa
	  -sslserver_key_size 2048
	  -sslserver_key_algorithm SHA256withRSA
	  ...
This only sets values for the CA signing key and uses the defaults for the other keys:
pkisilent ConfigureCA -cs_hostname localhost 
          -cs_port 9445 
          -subsystem_name "pki-ca2" 
	  -signing_key_type ec
	  -signing_key_size 256
	  -signing_key_curvename nist256
	  -signing_key_signingalgorithm SHA256withEC
          -key_size 2048 
          -key_type rsa 
	  -key_algorithm SHA256withRSA
...