P11Ng CLI

ENTERPRISE This is an EJBCA Enterprise feature.

The P11Ng CLI tool can be used to administrate HSMs using PKCS#11. It is built as a standalone JAR, which can be put on any machine and run independently of EJBCA.

The P11Ng CLI also provides CP5-specific commands to manage keys on Utimaco's common criteria certified HSM.

Build and Use P11Ng CLI

The following provides information on building and using the P11Ng CLI tool.

Build P11Ng CLI

To build P11Ng CLI with ant, run the following from the EJBCA source code directory:

ant p11ng-cli

The directory ./dist/p11ng-cli is created and can be moved to any location.

To use the tool, run the script p11ng-cli.sh in this directory.

Use P11Ng CLI

List Available Commands

Call the p11ng-cli.sh script without arguments to list all valid commands. For example:

> ./p11ng-cli.sh
--------------------------------
The following commands are available:
authorizekey Authorizes a key before it can be used. CP5 specific operation.
backupobject Backs up a key from the HSM on the backup file. CP5 specific operation.
deleteobject Deletes objects.
generatekey Generates symmetric key on the HSM
generatekeypair Generates a key pair
initializekey Initializes a key prior to authorization. CP5 specific operation.
listobjects List objects available on the slot.
listslots Lists slots available on the HSM
onetimeperformancetest Runs a one time performance test generating an RSA key and signing with it.
restoreobject Restores a backed up key from file into the HSM. CP5 specific operation.
showinfo Shows information about HSM.
showobjectattributes Shows the following attributes of an object, object IDs can be listed using the listobjects command:
CKA.ID, CKA.TOKEN, CKA.SENSITIVE, CKA.PRIVATE, CKA.EXTRACTABLE, CKA.ENCRYPT, CKA.DECRYPT, CKA.SIGN,CKA.VERIFY, CKA.SIGN_RECOVER, CKA.VERIFY_RECOVER, CKA.WRAP, CKA.UNWRAP, CKA.DERIVE, CKA.MODULUS_BITS,CKA.PUBLIC_EXPONENT, CKA.MODULUS, CKA.EC_PARAMS
showslotinfo Prints information about the slot.
showtokeninfo Prints information about token.
signperformancetest Runs a signing performance test. Without the --verify flag, the test only calls 'initSign, update, sign' using the private key, while adding --verify also reads the public key and verifies (in software) the created signature.
unblockkey Unblocks a key previously blocked. CP5 specific operation.
 
Type a command and "--help" for more information.

Print the Manual

Append the flag --help to any command to print the corresponding man page. For example:

> ./p11ng-cli.sh authorizekey --help