Entrust PKI Hub 1.0 - Installation and Administration Guide [PDF]

Lists the keys in the PKCS #11 token.

tsactl list-keys [-p <pin>] [-t <token>] [-v <vendor>]

For example:

$ sudo ./tsactl list-keys
Obtaining loaded secrets and configuration... Done
Starting PKCS #11 Manager...                  Done
Using token with label pking203
Public Key Object; RSA 2048 bits
  Label:      305ecd78340acc3d906be370a01e7884
  ID:         03b1dac1e383b8d3adea5a6a2c6200bde58ffb40
  Usage:      verify
 
Private Key Object; RSA 2048 bits
  Label:      F
  ID:         0f
  Usage:      sign, unwrap
 
Public Key Object; RSA 2048 bits
  Label:      F
  ID:         0f
  Usage:      verify, wrap
 
Private Key Object; RSA 2048 bits
  Label:      webserver-root1
  ID:         103d6c94ea10b98ab37186cc1c4977eb
  Usage:      sign

See below for a description of each option.

-p <pin>

Authenticate in the HSM with the <pin> PIN.

Mandatory: No. When omitting this option, the command looks for the PIN in the application secrets. If not found, prompts the user for the PIN.

-t <token>

Select the HSM token with the <token> label.

Mandatory: No. When omitting this option, the command uses the value of the Token label configuration parameter.

The command will raise an error if you omit this option and the configuration is not loaded.

-v <vendor>

Use the <vendor> security module. See the following table for the supported values.

Vendor	Security module
none	Built-in software PKCS #11 module.
nshield	nShield HSM. See HSM requirements for the supported models.
thales	Thales HSM. See HSM requirements for the supported models.

It is recommended to select a Hardware Security Module (HSM).

Mandatory: No. When omitting this option, the command assumes the value of the Vendor configuration parameter.

The command will raise an error if you omit this option and the configuration is not loaded.