.png){kind=logo}
P11NG CLI
The CLI tool p11ng-tool provides actions for querying, removing, and creating objects(keys) in an HSM slot in addition to signing sample text with existing wrapped key.
The tool is provided for troubleshooting purposes and the API is likely to change in future versions.
Run p11ng-tool from SIGNSERVER_HOME using the following command:
CODE
bin/p11ng-toolUsage
CODE
p11ng-tool [options]
P11NG commands
-action <arg> Operation to perform. Any of: [listSlots,
showInfo, listObjects, listKeyStoreEntries,
generateKey, generateAndWrapKeyPair,
unwrapAndSign, deleteKeyStoreEntryByAlias,
deleteObjects, generateKeyPair,
signPerformanceTest, unwrapPerformanceTest]
-alias <arg> Key alias
-attributes_file <arg> Path of file containing attributes to be used
while generating key pair
-libfile <arg> Shared library path
-method <arg> Method to use, either pkcs11 (default) or
provider
-nocertificateobject Don't create a certificate object when
generating a key. Default is to generate a
certificate object
-object <arg> Object ID (decimal)
-pin <arg> User PIN
-plaintext <arg> text string to sign
-privatekey <arg> base64 encoded encrypted (wrapped) private
key
-publickey <arg> base64 encoded public key
-selfcert Generate a self-signed certificate for the
new key-pair
-selfsigneddn <arg> Distinguished Name (DN) to use as issuer and
subject DN in the self-signed certificate
instead of the default one.
-signaturealgorithm <arg> For sign-/unwrapPerformanceTest: Signature algorithm
to use (default: SHA256withRSA)
-slot <arg> Slot ID to operate on
-threads <arg> For sign-/unwrapPerformanceTest: Number of stresstest
threads to run (default: 1)
-timelimit <arg> For sign-/unwrapPerformanceTest: Optional. Only run
for the specified time (in milliseconds).
-unwrapkey <arg> Label of key to unwrap with
-use_cache <arg> For sign-/unwrapPerformanceTest: Whether key objects
are fetched from cache instead of HSM token
(default: true)
-warmuptime <arg> For sign-/unwrapPerformanceTest: Don't count number
of signings and response times until after
this time (in milliseconds). Default=0 (no
warmup time).
-wrapkey <arg> Label of key to wrap withSample Usages
CODE
a) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action listSlots
b) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action showInfo
c) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action listObjects -slot 0 -pin foo123
d) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action generateKey -slot 0 -pin foo123 -alias wrapkey1
e) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action generateKeyPair -slot 0 -pin foo123 -alias myprivkey
f) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action generateKeyPair -slot 0 -pin foo123 -alias myprivkey -attributes_file/home/user/attribute_file.properties
g) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action deleteObjects -slot 0 -pin foo123 -object 4
h) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action deleteObjects -slot 0 -pin foo123 -object 4 -object 5
i) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action deleteKeyStoreEntryByAlias -slot 0 -alias mykey1
j) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action listKeyStoreEntries -slot 0 -pin foo123
k) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action generateAndWrapKeyPair -slot 0 -pin foo123 -wrapkey wrapkey1 -selfcert-alias wrappedprivkey
l) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action signPerformanceTest -slot 0 -pin foo123 -alias mykey1 -warmuptime 10000 -timelimit 100000 -threads 10
m) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action unwrapPerformanceTest -slot 0 -pin foo123 -wrapkey wrapkey1 -warmuptime 10000 -timelimit 100000 -threads 10