ENTERPRISE This is an EJBCA Enterprise feature.
The P11Ng CLI tool can be used to administrate HSMs using PKCS#11. It is built as a standalone JAR, which can be put on any machine and run independently of EJBCA.
The P11Ng CLI also provides CP5-specific commands to manage keys on Utimaco's common criteria certified HSM.
Build and Use P11Ng CLI
The following provides information on building and using the P11Ng CLI tool.
Build P11Ng CLI
To build P11Ng CLI with ant, run the following from the EJBCA source code directory:
The directory ./dist/p11ng-cli is created and can be moved to any location.
To use the tool, run the script p11ng-cli.sh in this directory.
Use P11Ng CLI
List Available Commands
Call the p11ng-cli.sh script without arguments to list all valid commands. For example:
The following commands are available:
authorizekey Authorizes a key before it can be used. CP5 specific operation.
backupobject Backs up a key from the HSM on the backup
. CP5 specific operation.
deleteobject Deletes objects.
generatekey Generates symmetric key on the HSM
generatekeypair Generates a key pair
initializekey Initializes a key prior to authorization. CP5 specific operation.
listobjects List objects available on the slot.
listslots Lists slots available on the HSM
onetimeperformancetest Runs a one
generating an RSA key and signing with it.
restoreobject Restores a backed up key from
into the HSM. CP5 specific operation.
showinfo Shows information about HSM.
showobjectattributes Shows the following attributes of an object, object IDs can be listed using the listobjects
CKA.ID, CKA.TOKEN, CKA.SENSITIVE, CKA.PRIVATE, CKA.EXTRACTABLE, CKA.ENCRYPT, CKA.DECRYPT, CKA.SIGN,CKA.VERIFY, CKA.SIGN_RECOVER, CKA.VERIFY_RECOVER, CKA.WRAP, CKA.UNWRAP, CKA.DERIVE, CKA.MODULUS_BITS,CKA.PUBLIC_EXPONENT, CKA.MODULUS, CKA.EC_PARAMS
showslotinfo Prints information about the slot.
showtokeninfo Prints information about token.
signperformancetest Runs a signing performance
. Without the --verify flag, the
'initSign, update, sign'
using the private key,
adding --verify also reads the public key and verifies (
software) the created signature.
unblockkey Unblocks a key previously blocked. CP5 specific operation.
Print the Manual
Append the flag --help to any command to print the corresponding man page. For example:
> ./p11ng-cli.sh authorizekey --help