The P11Ng CLI tool can be used to administrate HSMs using PKCS#11. It is built as a standalone JAR, which can be put on any machine and run independently of EJBCA.

The P11Ng CLI also provides CP5-specific commands to manage keys on Utimaco's common criteria certified HSM.

Build and Use P11Ng CLI

The following provides information on building and using the P11Ng CLI tool.

Build P11Ng CLI

To build P11Ng CLI with ant, run the following from the EJBCA source code directory:

ant p11ng-cli
BASH

The directory ./dist/p11ng-cli is created and can be moved to any location.

To use the tool, run the script p11ng-cli.sh in this directory.

Use P11Ng CLI

List Available Commands

Call the p11ng-cli.sh script without arguments to list all valid commands. For example:

> ./p11ng-cli.sh 
--------------------------------
The following commands are available:
    authorizekey                Authorizes a key before it can be used. CP5 specific operation.
    backupobject                Backs up a key from the HSM on the backup file. CP5 specific operation.
    deleteobject                Deletes objects.
    generatekey                 Generates symmetric key on the HSM
    generatekeypair             Generates a key pair
    initializekey               Initializes a key prior to authorization. CP5 specific operation.
    listobjects                 List objects available on the slot.
    listslots                   Lists slots available on the HSM
    onetimeperformancetest      Runs a one time performance test generating an RSA key and signing with it.
    restoreobject               Restores a backed up key from file into the HSM. CP5 specific operation.
    showinfo                    Shows information about HSM.
    showobjectattributes        Shows the following attributes of an object, object IDs can be listed using the listobjects command:
CKA.ID, CKA.TOKEN, CKA.SENSITIVE, CKA.PRIVATE, CKA.EXTRACTABLE, CKA.ENCRYPT, CKA.DECRYPT, CKA.SIGN,CKA.VERIFY, CKA.SIGN_RECOVER, CKA.VERIFY_RECOVER, CKA.WRAP, CKA.UNWRAP, CKA.DERIVE, CKA.MODULUS_BITS,CKA.PUBLIC_EXPONENT, CKA.MODULUS, CKA.EC_PARAMS
    showslotinfo                Prints information about the slot.
    showtokeninfo               Prints information about token.
    signperformancetest         Runs a signing performance test. Without the --verify flag, the test only calls 'initSign, update, sign' using the private key, while adding --verify also reads the public key and verifies (in software) the created signature.
    unblockkey                  Unblocks a key previously blocked. CP5 specific operation.

Type a command and "--help" for more information.
BASH

Print the Manual

Append the flag --help to any command to print the corresponding man page. For example:

> ./p11ng-cli.sh authorizekey --help