Common tools of openCryptokiEdit online Learn how to use tools provided by openCryptoki that you can use for common purposes. Managing tokens - pkcsconf utilityopenCryptoki provides a command line program (/sbin/pkcsconf) to configure and administer tokens that are supported within the system. The pkcsconf capabilities include token initialization, and security officer (SO) PIN and User PIN initialization and maintenance. These PINs are required for token initialization.Managing token keys - p11sak utilityUse the p11sak tool to manage token keys and certificates in an openCryptoki token repository with their PKCS #11 attributes. You can generate, import, export, change, copy, and remove symmetric and asymmetric keys in an openCryptoki token repository. With this tool, you can also import, export, copy and list certificates. Migrating to FIPS compliance - pkcstok_migrate utilityUse the pkcstok_migrate tool to migrate the data stores of an EP11 token, a CCA token, an ICA token, or a Soft token to a FIPS compliant format. This FIPS compliant data format is available starting with openCryptoki version 3.12. You can use this tool to migrate tokens created with all versions of openCryptoki, because also for version 3.12 or later, the old non-compliant format is the default. Being FIPS compliant, the token data is stored in a format that is better protected against attacks than the previously used data format.Displaying usage statistics - pkcsstats utilityopenCryptoki provides a command line program pkcsstats to display usage statistics of mechanisms per slot IDs, either on the basis of individual users or accumulated for all users, and broken down to available key-sizes.Managing a concurrent master key change - pkcshsm_mk_change utilityFor CCA tokens and EP11 tokens, openCryptoki provides a command line program pkcshsm_mk_change to manage the concurrent re-enciphering of secure keys for a HSM master key change while applications using openCryptoki workload are running.Customizing token access control - pkcstok_admin utilityopenCryptoki provides a command line program called pkcstok_admin to enable an administrator to correctly configure user access to the token directories (including the respective token object repositories) in a way that a certain user can access the token directory of one token but not the token directory of another token. Transferring keys between a token and a KMIP server - p11kmip utilityUse the p11kmip tool to export keys from a token instance in a PKCS #11 slot to a KMIP server. Or use this tool to import keys from a KMIP server to a token instance. These keys used for export or import are referred to as target keys. The current version of this utility supports secret AES keys (with attribute CKA_EXTRACTABLE = TRUE) as target keys. The target keys are protected by a wrapping key during the transit and are unwrapped after the transit by a corresponding unwrapping key. The current version of this utility supports RSA asymmetric private and public key pairs for wrapping the target key during the transit (public RSA key) and for unwrapping it after the transit (private RSA key). Parent topic: openCryptoki - An Open Source Implementation of PKCS #11