P11Ng CLI
ENTERPRISE This is an EJBCA Enterprise feature.
The P11Ng CLI tool can be used to administrate HSMs using PKCS#11. It is built as a standalone JAR, which can be put on any machine and run independently of EJBCA.
The P11Ng CLI also provides CP5-specific commands to manage keys on Utimaco's common criteria certified HSM.
Build and Use P11Ng CLI
The following provides information on building and using the P11Ng CLI tool.
Build P11Ng CLI
To build P11Ng CLI with ant, run the following from the EJBCA source code directory:
ant p11ng-cli
The directory ./dist/p11ng-cli is created and can be moved to any location.
To use the tool, run the script p11ng-cli.sh in this directory.
Use P11Ng CLI
List Available Commands
Call the p11ng-cli.sh script without arguments to list all valid commands. For example:
> .
/p11ng-cli
.sh
--------------------------------
The following commands are available:
authorizekey Authorizes a key before it can be used. CP5 specific operation.
backupobject Backs up a key from the HSM on the backup
file
. CP5 specific operation.
deleteobject Deletes objects.
generatekey Generates symmetric key on the HSM
generatekeypair Generates a key pair
initializekey Initializes a key prior to authorization. CP5 specific operation.
listobjects List objects available on the slot.
listslots Lists slots available on the HSM
onetimeperformancetest Runs a one
time
performance
test
generating an RSA key and signing with it.
restoreobject Restores a backed up key from
file
into the HSM. CP5 specific operation.
showinfo Shows information about HSM.
showobjectattributes Shows the following attributes of an object, object IDs can be listed using the listobjects
command
:
CKA.ID, CKA.TOKEN, CKA.SENSITIVE, CKA.PRIVATE, CKA.EXTRACTABLE, CKA.ENCRYPT, CKA.DECRYPT, CKA.SIGN,CKA.VERIFY, CKA.SIGN_RECOVER, CKA.VERIFY_RECOVER, CKA.WRAP, CKA.UNWRAP, CKA.DERIVE, CKA.MODULUS_BITS,CKA.PUBLIC_EXPONENT, CKA.MODULUS, CKA.EC_PARAMS
showslotinfo Prints information about the slot.
showtokeninfo Prints information about token.
signperformancetest Runs a signing performance
test
. Without the --verify flag, the
test
only calls
'initSign, update, sign'
using the private key,
while
adding --verify also reads the public key and verifies (
in
software) the created signature.
unblockkey Unblocks a key previously blocked. CP5 specific operation.
Type a
command
and
"--help"
for
more
information.
Print the Manual
Append the flag --help to any command to print the corresponding man page. For example:
> ./p11ng-cli.sh authorizekey --help