Why quartus_sign fails to generate a signed ccert for Agilex™ 7 FPGA when running an AES root key provisioning command? - Why quartus_sign fails to generate a signed ccert for Agilex™ 7 FPGA when running an AES root key provisioning command? Description When running the quartus_sign command for Agilex™ 7 AES Root Key Provisioning, Quartus® Prime Pro Software fails with Error (20354). Executing the following two commands fails when running the commands below: ## Create an unsigned AES compact certificate for the desired AES root key storage location: quartus_pfg --ccert -o ccert_type=EFUSE_WRAPPED_AES_KEY -o password=passphrase.txt -o qek_file=aes_root.qek unsigned_efuse1.ccert ## Sign the compact certificate with the quartus_sign command or reference implementation: quartus_sign --family=agilex7 --operation=sign --pem=aesccert1_private.pem --qky=aesccert1_sign_chain.qky unsigned_efuse1.ccert signed_efuse1.ccert Resolution You need to set the permission=0x40 when running this command. Full command as below: quartus_sign --family=agilex --operation=append_key \ --previous_pem=root0_private.pem \ --previous_qky=root0.qky \ --permission=0x40 \ --cancel=1 \ --input_pem=aesccert1_public.pem \ aesccert1_sign_chain.qky Additional Information Please refer to Intel Agilex™ 7 FPGA Device Security User Guide page 33 for more details. Custom Fields values: ['novalue'] Troubleshooting 22011787897 False ['novalue'] ['FPGA Dev Tools Quartus® Prime Software Pro'] novalue 24.1 ['Agilex™ 7 FPGAs and SoCs'] ['novalue'] ['novalue'] ['novalue']