The check key command check is used to check HSM Identity keys for consistency on the devices specified by the <targets> parameter. Any anomalies will be reported.

This command ensures that the peer keys match the device private key they represent, and ensures that all key objects have been created with appropriate security attributes.

The generate key command gen is used to generate the HSM Identity key–pair on the devices specified by the <targets> parameter.

If a device already has an identity key a key will not be generated and a warning will be issued, unless the –f parameter is used to force key regeneration. When a key is regenerated, the existing key is destroyed BEFORE the new key has been generated to avoid any inconsistencies that could occur with multiple keys.

To complete this command, ctident requires the SO PIN of the administrative token. The –o parameter can be used to supply a default SO PIN. Since multiple devices can be targeted with this command, differing PINs may be required for each device.

When a default PIN is not provided or if the current PIN is incorrect, the PIN will be prompted for. The batch mode –b parameter can be used to disable PIN prompting.

The list key command list is used to list summary information for HSM Identity keys located on the devices specified by the <targets> parameter.

The –t parameter restricts the types of keys listed. By default all HSM Identity key types are listed.

The –a parameter lists all of the non-sensitive attributes for each key.

The remove key command remove is used to remove HSM Identity keys from the devices specified by the <targets> parameter.

The <peers> parameter specifies the peer device keys to remove. If the serial number format is used to identify peers, the peer device need not be available for the command to succeed since peer keys are identified by device serial number.

If the <peers> parameter specifies the value local, the devices own local HSM Identity key-pair is removed. This is the only way to have ctident remove a devices own HSM Identity key-pair.

To complete this command, ctident requires the SO PIN of the administrative token. The –o parameter can be used to supply a default SO PIN.  Since multiple devices can be targeted with this command, differing PINs may be required for each device. When a default PIN is not provided or if the current PIN is incorrect, the PIN will be prompted for. The batch mode –b parameter can be used to disable PIN prompting.

Specifies a comma-separated list of device numbers. The modifier, sn:<serial> allows device serial numbers to be specified as opposed to device positional numbers. The special value all denotes all devices.

Specifies a comma-separated list of peer device numbers. The modifier, sn:<serial> allows device serial numbers to be specified as opposed to device positional numbers. The special value all denotes all devices other than the specific target device on which the command is currently being performed on. The special value local affects the devices own local HSM Identity key-pair and only has effect with the remove command.

––attributes

Output all non-sensitive attributes of a key.

––batch

Batch mode. Do not prompt for anything, including PINS. If the required information was not supplied on the command line ctident will report an error.

––force

Force the command, even if the key already exists.

––so–pin=<pin>

Specifies the security officer (SO) PIN. Use of this operation is a security risk due to the tools command line being visible in the systems process list.