Entrust PKI Hub 1.0 - Installation and Administration Guide [PDF]

Checks the HSM connectivity.

evactl check hsm [-l <level>] [-p <pin>] [-v <vendor>] [-t <token>]

For example:

$ sudo ./evactl check hsm
Starting PKCS #11 Manager...               Done
 
        Slot Id ->              0
        Label ->                pking203
        Serial Number ->        1433959427612
        Model ->                LunaSA 7.2.0
        Firmware Version ->     7.0.3
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot
        FM HW Status ->         FM Ready
 
        Slot Id ->              1
        Label ->                pking202
        Serial Number ->        1433964084224
        Model ->                LunaSA 7.2.0
        Firmware Version ->     7.0.3
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot
        FM HW Status ->         FM Ready
 
 
        Current Slot Id: 0
 
Passing HSM checks...                      Done

See below for a description of each option.

-k <key_id>

Select the key with the <key_id> identifier.

Run the evactl list-keys command to get the key identifiers.

Mandatory: Yes.

-s <subject>

Use <subject> as the Subject of the certificate request. Where <subject> is a full Distinguished Name (DN) or Relative Distinguished Name (RDN).

For Entrust Validation Authority to recognize the Subject, the DN attributes must be in capital letters.

For example:

CN=Example User,O=Example,C=US

CN=Example User

Mandatory : No. When omitting this option, the Subject in the generated certificate request defaults to the following:

CN=<key_id>

Where <key_id> is the key identifier.

-o <csr>

Save the certificate signing request (CSR) in a file with the <csr> path.

Mandatory: No. When omitting this option, the command prints the CSR to the standard output.

-p <pin>

Authenticate in the HSM with the <pin> PIN.

Mandatory: No. When omitting this option, the command looks for the PIN in the application secrets. If not found, prompts the user for the PIN.

-t <token>

Select the HSM token with the <token> label.

Mandatory: No. When omitting this option, the command uses the value of the Token label configuration parameter.

The command will raise an error if you omit this option and the configuration is not loaded.

-v <vendor>

Use the <vendor> security module. See the following table for the supported values.

Vendor	Security module
none	Built-in software PKCS #11 module.
nshield	nShield HSM. See HSM requirements for the supported models.
thales	Thales HSM. See HSM requirements for the supported models.

It is recommended to select a Hardware Security Module (HSM).

Mandatory: No. When omitting this option, the command assumes the value of the Vendor configuration parameter.

The command will raise an error if you omit this option and the configuration is not loaded.

-y

Skip the confirmation prompt.