Skip to main content

Testing

CNG/KSP Test Tool

Note

Applies to ksputilcons.exe; V1.35 and later

Beside the Microsoft Windows certificate tools (e.g. CertMgr, CertUtil), the ksputilcons.exe tool allows independent testing of the Securosys CNG/KSP provider and to resolve key accessibility issues (see Key Accessibility, e.g. upgrade incompatibility or moving accounts into or out of domains).

The tool is installed within the %ProgramFiles% folder:

"%ProgramFiles%\Securosys\PrimusHsmKsp\ksputilcons.exe"

The tool provides the following command line options1:

ksputilcons help                                            Display help text
ksputilcons hsmstatus [-v -p <provider>]                    HSM connection status
ksputilcons enumprovs [-v]                                  Enumerate all CNG providers
ksputilcons enumalgs [-v -p <provider>]                     Enumerate algorithms
ksputilcons enumalgops [-v -p <provider>]                   Enumerate algorithm operations
ksputilcons enumkeys [-v -m -a -p <provider>]               Enumerate keys
ksputilcons createtestkey [-v -m -p <provider>]             Create test key
ksputilcons deltestkey [-v -m -p <provider>]                delete test key
ksputilcons chkeysowner <name\> <oldowner\> <newowner\>     [-v -p <provider>
 --passwd <password>] Change the key owner (KeyPrefix)

Connection Status and Details

The command ksputilcons hsmstatus provides a convenient way to check if configuration of the CNG/KSP is complete, connectivity to the HSMs is present, and HSM firmware version:

ksputilcons hsmstatus [-p <provider>]

Getting status. Please wait .....

-----------------------------------
HSM Identifier: DevSystem DEMO-TEST
----------------------------------

+ Configuration
Is complete:                                YES
Host address:                               grimsel.securosys.ch::2320
Device name:                                GRIMSEL
Is sufficient to connect:                   YES

+ HSM info
Device name:                                GRIMSEL
Firmware version:                           RX-2.8.0-T

+ Connection
Succeeded:                                  YES
Protocol version:                           2.5
FIPS compliant login:                       YES
Elliptic curve cryptography:                YES
HASH/HMAC key derivation functions:         YES
SP800-56A key derivation function:          YES
------------------------------------


Enumerate all CNG keys

The following command options allow to enumerate all CNG keys independent of the user scope (option ‑a, administrator rights required), and additionally the key capabilities and flags (option ‑v; see help option for details).

ksputilcons enumkeys -a -v [-p <provider>]

Enumerating. Please wait .................................................

--------------------------------------------------------------------
Owner: S-1-5-21-3913189663-3851414020-2755702806-1111 (Current User)
--------------------------------------------------------------------

+ Key name:                                 ExportCertx2.hsmdemo.test-fbaed98e-2ec2-434f-be62-7aa57bbd40b3
Algorithm, size, type:                      RSA, 2048 bit, PublicKey
Capabilities:                               Encrypt, Verify, Wrap
Access:                                     Modifiable, Copyable, Pkcs11Public
Creation date/time:                         2019-02-19 17:16:14

+ Key name:                                 ExportCertx2.hsmdemo.test-fbaed98e-2ec2-434f-be62-7aa57bbd40b3
Algorithm, size, type:                      RSA, 2048 bit, PrivateKey
Capabilities:                               Decrypt, Sign, Unwrap
Access:                                     Extractable, Modifiable, Copyable, Pkcs11Private
Creation date/time:                         2019-02-19 17:16:14


-----------------------------------------------------
Owner: S-1-5-21-3913189663-3851414020-2755702806-1112
-----------------------------------------------------

+ Key name:                                 ExportCertx2.hsmdemo.test-fbaed98e-2ec2-434f-be62-7aa57bbd40b3


Change Key Accessibility

The following command option allows to rename the keyPrefix of a specific key to resolve key accessibility issues (see chapter Key Accessibility). This may be necessary due to upgrade incompatibility or moving accounts into or out of domains. Only keys having the flag "Modifiable" set can be renamed.

The procedure is as follows:

  1. Open a command shell (cmd) with administrator rights
  2. Determine the existing SID (<oldowner>) of the key, using key enumeration option (see 5.3.2) and check that the "Modifiable" flag is set: ksputilcons.exe enumkeys -a -v
  3. Determine the SID (<newowner>) of the new account, e.g.:
  • of the current user: wmic useraccount where name='%username%' get caption,sid
  • of all users: wmic useraccount get caption, sid
  • of well-known accounts (see chapter Key Access or Windows SID documentation)
  • of the machine using psgetsid.exe from SysInternal tools:
    • of local machine: psgetsid
    • of machine in Active Directory psgetsid %computername%$
  • Rename the key prefix with the following command option (see help option for details):
 ksputilcons chkeysowner <keyname> <oldowner> <newowner> [-v --passwd <password>]

Example:

ksputilcons chkeysowner CNGTestKey S-1-5-21-3913189663-3851414020-2755702806-1111
 S-1-5-21-3913189663-3851414020-2755702806-1104

Footnotes

  1. Provider instance parameter [-p <provider>] is required only if multiple instances are installed (CNG V1.40 or newer)