Skip to main content
Skip table of contents


The CLI tool p11ng-tool provides actions for querying, removing, and creating objects(keys) in an HSM slot in addition to signing sample text with existing wrapped key.

The tool is provided for troubleshooting purposes and the API is likely to change in future versions.

Run p11ng-tool from SIGNSERVER_HOME using the following command:



p11ng-tool [options]
P11NG commands
 -action <arg>               Operation to perform. Any of: [listSlots,
                             showInfo, listObjects, listKeyStoreEntries,
                             generateKey, generateAndWrapKeyPair,
                             unwrapAndSign, deleteKeyStoreEntryByAlias,
                             deleteObjects, generateKeyPair,
                             signPerformanceTest, unwrapPerformanceTest]
 -alias <arg>                Key alias
 -attributes_file <arg>      Path of file containing attributes to be used
                             while generating key pair
 -libfile <arg>              Shared library path
 -method <arg>               Method to use, either pkcs11 (default) or
 -nocertificateobject        Don't create a certificate object when
                             generating a key. Default is to generate a
                             certificate object
 -object <arg>               Object ID (decimal)
 -pin <arg>                  User PIN
 -plaintext <arg>            text string to sign
 -privatekey <arg>           base64 encoded encrypted (wrapped) private
 -publickey <arg>            base64 encoded public key
 -selfcert                   Generate a self-signed certificate for the
                             new key-pair
 -selfsigneddn <arg>         Distinguished Name (DN) to use as issuer and
                             subject DN in the self-signed certificate
                             instead of the default one.
 -signaturealgorithm <arg>   For sign-/unwrapPerformanceTest: Signature algorithm
                             to use (default: SHA256withRSA)
 -slot <arg>                 Slot ID to operate on
 -threads <arg>              For sign-/unwrapPerformanceTest: Number of stresstest
                             threads to run (default: 1)
 -timelimit <arg>            For sign-/unwrapPerformanceTest: Optional. Only run
                             for the specified time (in milliseconds).
 -unwrapkey <arg>            Label of key to unwrap with
 -use_cache <arg>            For sign-/unwrapPerformanceTest: Whether key objects
                             are fetched from cache instead of HSM token
                             (default: true)
 -warmuptime <arg>           For sign-/unwrapPerformanceTest: Don't count number
                             of signings and response times until after
                             this time (in milliseconds). Default=0 (no
                             warmup time).
 -wrapkey <arg>              Label of key to wrap with

Sample usages:
a) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
b) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
c) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
listObjects -slot 0 -pin foo123
d) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
generateKey -slot 0 -pin foo123 -alias wrapkey1
e) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
generateKeyPair -slot 0 -pin foo123 -alias myprivkey
f) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
generateKeyPair -slot 0 -pin foo123 -alias myprivkey -attributes_file
g) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
deleteObjects -slot 0 -pin foo123 -object 4
h) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
deleteObjects -slot 0 -pin foo123 -object 4 -object 5
i) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
deleteKeyStoreEntryByAlias -slot 0 -alias mykey1
j) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
listKeyStoreEntries -slot 0 -pin foo123
k) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
generateAndWrapKeyPair -slot 0 -pin foo123 -wrapkey wrapkey1 -selfcert
-alias wrappedprivkey
l) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
signPerformanceTest -slot 0 -pin foo123 -alias mykey1 -warmuptime 10000
-timelimit 100000 -threads 10
m) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/ -action
unwrapPerformanceTest -slot 0 -pin foo123 -wrapkey wrapkey1 -warmuptime
10000 -timelimit 100000 -threads 10
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.