1SOFTHSM2-UTIL(1) General Commands Manual SOFTHSM2-UTIL(1)
2
6 softhsm2-util - support tool for libsofthsm2
7
9 softhsm2-util --show-slots
10 softhsm2-util --init-token --free --label text \
12 [--so-pin PIN --pin PIN]
13 softhsm2-util --import path [--file-pin PIN] --token label \
15 [--pin PIN --no-public-key] --label text --id hex
16 softhsm2-util --import path --aes --token label \
18 [--pin PIN] --label text --id hex
19 softhsm2-util --delete-token --token text
21
23 softhsm2-util is a support tool mainly for libsofthsm2. It can also be
24 used with other PKCS#11 libraries by using the option --module
25 Read the sections below to get more information on the libsofthsm2 and
27 PKCS#11. Most applications assumes that the token they want to use is
28 already initialized. It is then up to the user to initialize the
29 PKCS#11 token. This is done by using the PKCS#11 interface, but
30 instead of writing your own tool you can use the softhsm2-util tool.
31 Keys are usually created directly in the token, but the user may want
33 to use an existing key pair. Keys can be imported to a token by using
34 the PKCS#11 interface, but this tool can also be used if the user has
35 the key pair in a PKCS#8 file. If you need to convert keys from BIND
36 .private-key format over to PKCS#8, one can use softhsm2-keyconv.
37 The libary libsofthsm2, known as SoftHSM, provides cryptographic func‐
39 tionality by using the PKCS#11 API. It was developed as a part of the
40 OpenDNSSEC project, thus designed to meet the requirements of
41 OpenDNSSEC, but can also work together with other software that want to
42 use the functionality of the PKCS#11 API.
43 SoftHSM is a software implementation of a generic cryptographic device
45 with a PKCS#11 interface. These devices are often called tokens. Read
46 in the manual softhsm2.conf(5) on how to create these tokens and how
47 they are added to a slot in SoftHSM.
48 The PKCS#11 API can be used to handle and store cryptographic keys.
50 This interface specifies how to communicate with cryptographic devices
51 such as HSMs (Hardware Security Modules) and smart cards. The purpose
52 of these devices is, among others, to generate cryptographic keys and
53 sign information without revealing private-key material to the outside
54 world. They are often designed to perform well on these specific tasks
55 compared to ordinary processes in a normal computer.
56
58 --delete-token
59 Delete the token at a given slot. Use with --token or --serial.
60 Any content in token will be erased.
61 --help, -h
63 Show the help information.
64 --import path
66 Import a key pair from the given path. The file must be in
67 PKCS#8-format.
68 Use with --slot or --token or --serial, --file-pin, --pin,
69 --no-public-key, --label, and --id.
70 Can also be used with --aes to use file as is and import it as
71 AES.
72 --init-token
74 Initialize the token at a given slot, token label or token
75 serial. If the token is already initialized then this command
76 will reinitialize it, thus erasing all the objects in the token.
77 The matching Security Officer (SO) PIN must also be provided
78 when doing reinitialization. Initialized tokens will be reas‐
79 signed to another slot (based on the token serial number).
80 Use with --slot or --token or --serial or --free, --label, --so-
81 pin, and --pin.
82 --show-slots
84 Display all the available slots and their current status.
85 --version, -v
87 Show the version info.
88
90 --aes Used to tell import to use file as is and import it as AES.
91 --file-pin PIN
93 The PIN will be used to decrypt the PKCS#8 file. If not given
94 then the PKCS#8 file is assumed to be unencrypted.
95 --force
97 Use this option to override the warnings and force the given
98 action.
99 --free Use the first free/uninitialized token.
101 --id hex
103 Choose an ID of the key pair. The ID is in hexadecimal with a
104 variable length. Use with --force when importing a key pair if
105 the ID already exists.
106 --label text
108 Defines the label of the object or the token that will be set.
109 --module path
111 Use another PKCS#11 library than SoftHSM.
112 --no-public-key
114 Do not import the public key.
115 --pin PIN
117 The PIN for the normal user.
118 --serial number
120 Will use the token with a matching serial number.
121 --slot number
123 The slot where the token is located.
124 --so-pin PIN
126 The PIN for the Security Officer (SO).
127 --token label
129 Will use the token with a matching token label.
130
132 The token can be initialized using this command:
133 softhsm2-util --init-token --slot 1 --label "mytoken"
135 A key pair can be imported using the softhsm tool where you specify the
137 path to the key file, slot number, label and ID of the new objects, and
138 the user PIN. The file must be in PKCS#8 format.
139 softhsm2-util --import key1.pem --token "mytoken" --label "My key" \
141 --id A1B2 --pin 123456
142 (Add, --file-pin PIN, if the key file is encrypted.)
143
145 Written by Rickard Bellgrim, Francis Dupont, René Post, and Roland van
146 Rijswijk.
147
149 softhsm2-keyconv(1), softhsm2-migrate(1), softhsm2.conf(5)
150SoftHSM 22 September 2017 SOFTHSM2-UTIL(1)