Home >

LunaSH Command Reference Guide > LunaSH Commands > token > token pki

token pki

Access the token pki commands. These commands allow you to operate token HSMs (with SafeNet USB HSM connected to the SafeNet Network HSM via USB) when used in PKI mode.

Note:  The PKI Bundle feature is supported with PED-authenticated SafeNet Network HSM, and the connected SafeNet USB HSM must also be PED-authenticated.

PKI bundling with password-authenticated SafeNet Network HSM or SafeNet USB HSM is not supported.  

Note:  The SafeNet Network HSM PKI Bundle option does not support Per-Partition Security Officer (PPSO). That is, a SafeNet USB HSM that is USB-connected to a SafeNet Network HSM appliance can be configured with any compatible firmware, including firmware version 6.22.0 (or newer), but cannot have the PPSO capability applied.

Note:  SafeNet Network HSM PKI Bundle option does not support the use of SafeNet DOCK2 and removable PCMCIA token HSMs (SafeNet CA4).

An external SafeNet HSM can be USB-connected to a SafeNet Network HSM appliance for:

local backup/restore operations (SafeNet Backup HSM)

PKI bundle operations (SafeNet USB HSM)

SafeNet Network HSM does not pass PED operations and data through to an externally connected SafeNet HSM from a SafeNet PED that is connected locally to the SafeNet Network HSM.

If the external HSM is PED-authenticated, then the options for SafeNet PED connection are:

local PED connection, directly to the affected HSM, when needed, or

Remote PED connection, passed through the SafeNet Network HSM 

Note:  Support for PKI Bundles with Remote PED begins at firmware version 6.10.1 in the external HSM.

Note:  Support for locally connected Backup HSM with Remote PED,
begins at firmware version 6.10.1 in the external HSM.

Note:  Use of Remote PED with an external device is made possible when you set up with the commands
hsm ped vector init -serial <serial#_of_external_HSM>
and
hsm ped connect -serial <serial#_of_external_HSM>
before using token pki or token backup commands.  

 

Syntax

token pki

activate
changepin
clone
deploy
factoryreset
listall
listdeployed
predeploy
resetpin
undeploy
update

Parameter Shortcut Description
activate a Activate PKI Token for use with your application. See token pki activate.
changepin   ch Change PKI Token PIN. See token pki changepin.
clone cl Clone PKI Token contents. See token pki clone.
deploy d Deploy PKI Token. See token pki deploy.
factoryreset    fr Factory Reset PKI Token. See token pki factoryreset.
listall    lista

List All PKI Tokens. See token pki listall.

listdeployed    listd List All Deployed Tokens. See token pki listdeployed.
predeploy p Pre-deploy PKI Token. See token pki predeploy.
resetpin   r Reset PKI Token PIN. See token pki resetpin.
undeploy un Undeploy PKI Token. See token pki undeploy.
update up Access the token pki update commands.See token pki update.

 

Note:  The above commands prepare an HSM, externally connected to a SafeNet Network HSM appliance, for operation in the PKI use-case. However, once the external HSM has been deployed for PKI bundle, it must be assigned to the remote client, by means of the command client assignpartition.