Using the TppPKIs command line tool
The tpppkis command-line tool allows you to read and write PKI files. It provides functionality for managing certificates, private keys, CSRs, and PFX files, as well as performing cryptographic operations such as digest creation and HMAC computation.
TPPPKIs tool syntax
The TppPKIs program is located at: [InstallDir]\Platform\TppPKIs.exe.
To perform specific tasks, type a parameter directly after typing the TppPKIs command. For instance, tpppkis -help. Please note that commands and parameters are not case-sensitive, meaning TppPKIs -code and tpppkis -code are interpreted the same.
When running the program with no parameters, you will see the inline help. There, you will see that some characters in parameter names are bolded and some are not. The bolded characters are a short-cut syntax that makes it quicker and easier to type commands. For example, the chain parameter is displayed in the inline help as -chain. The bolded part, in this case -ch, is the short cut.
This short-cut syntax can make it quicker and easier to type commands; however, to ensure compatibility with future versions of TppPkis, you should use full parameter names when scripting.
TIP The hyphen (-) is technically optional, but is recommended for forwards compatibility.
Command options are additional modifiers that provide further instructions or information to the TppPkis command being executed. For example, -text=<file> is used to load the specified file into PKIX and display a text version. The tool accepts the following operators: =, :, and (space). Thus the following examples are all treated the same: -cr=X509, -cr:X509, and -cr X509
Combining these principles, the following commands are all interpreted the same:
tpppkis -list all
tpppkis -LIST=all
TppPkis -LIst:aLL
TppPKIs tool parameters and options
Click a column header to sort by that column.
| Option | Type | Description |
|---|---|---|
-list
|
General Options | Lists available options for <type>. Available types: alg, all, digest, key, opt, priv, pub, test, type, usage. |
-options=o1, o2, oN
|
General Options | Sets specific options. Example: XmlToDo, XmlContainer, GenCmds. |
-verbose
|
General Options | Enables verbose output. |
-der
|
General Options | Outputs DER instead of PEM where applicable. |
-xml=file
|
General Options | Generates TppTool XML to define objects alongside the regular output. |
-dump=file
|
General Options | Decodes the given file and displays it in text form. |
-skip
|
General Options | Skips writing transient files created during processing. |
-algorithm=alg
|
General Options | Specifies the encryption algorithm for Private Key and PFX files. See list -alg for available options.
|
-digest=dgst
|
General Options | Specifies the digest algorithm to use. See list -digest for available options.
|
-infile=file
|
General Options | Reads commands from a specified file. Each line represents an individual command line. |
-consume=file
|
Digest Options | Specifies the file whose contents will be used for creating a digest. |
-hmackey=key
|
Digest Options | Specifies the key for HMAC creation. |
-newkey=keytype
|
Private key options | Generates a new private key of the specified type. See list -key for available types.
|
-key=source
|
Private key options | Specifies an existing private key source (file path or DN). |
-pass=password
|
Private key options | Specifies the password for decrypting the private key file (if required). |
-csr=source
|
CSR options |
Specifies an existing CSR source (file path or DN). |
-subject=subjectdn
|
CSR options |
Specifies the subject distinguished name. |
-sandns=d1,d2,...
|
CSR options |
Specifies SAN DNS names to add. |
-sanip=i1,i2,...
|
CSR options |
Specifies SAN IP addresses to add. |
-sanrfc822=e1,e2,...
|
CSR options |
Specifies SAN RFC822 names to add. |
-sanuri=u1,u2,...
|
CSR options |
Specifies SAN URIs to add. |
-sanupn=u1,u2,...
|
CSR options |
Specifies SAN UPNs to add. |
-objectsid=sid
|
CSR options |
Specifies the Microsoft NTDS CA ObjectSID to add. |
-usage=u1,u2,...
|
CSR options |
Specifies requested key usage. See list -usage for available options.
|
-cert=source
|
Certificate options | Specifies an existing certificate source (file path or DN). |
-serial=number
|
Certificate options | Specifies the certificate's serial number. |
-validity=days
|
Certificate options | Specifies the number of valid days for the certificate. |
-issuer=source
|
Certificate options | Specifies the issuer certificate source (file path or DN). |
-isskey=source
|
Certificate options | Specifies the issuer private key source (file path or DN). |
-isspass=password
|
Certificate options | Specifies the password for decrypting the issuer private key. |
-selfsign
|
Certificate options | Self-signs the certificate. |
-isroot
|
Certificate options | Issues the certificate as a Root or Intermediate CA certificate. |
-pfxfile=file
|
PFX options | Specifies an existing PFX file. |
-friendly=name
|
PFX options | Assigns a friendly name to the certificate. |
-pfxpass=password
|
PFX options | Specifies the password for decrypting the PFX file. |
-addcert=source
|
PFX options | Specifies additional certificates to add to the PFX (file path or DN). |
-jdktrust
|
PFX options | Marks the included certificate as trusted for JDK compatibility. |
-create=type
|
Output options | Specifies the type of file to create. Supported types: PKCS8, PKCS10, PKCS12, X509, and Extract.
|
-outfile=file
|
Output options | Specifies the output file path. |
-outpass=password
|
Output options | Specifies the password for encrypting the output file (if applicable). |
-hsmdll=path
|
HSM options | Specifies the cryptoki DLL path. |
-hsmlabel=label
|
HSM options | Specifies the partition label. |
-hsmserial=serial
|
HSM options | Specifies the partition serial number. |
-hsmpin=pin
|
HSM options | Specifies the authentication PIN. |
-hsmtype=type
|
HSM options | Specifies the authentication account type (SO, CO, 0, 1).
|
-text=file
|
Diagnostics options | Loads the specified file into PKIX and displays a text version. Uses -pass if specified.
|
-chain
|
Diagnostics options | Verifies and displays the certificate chain when using -text.
|
Examples
Create a new EC-P256 key and save it as PKCS8
tpppkis -create=pkcs8 -newkey=eccp256 -outfile=clear-ecc.pem
Encrypt an existing key
tpppkis -create=pkcs8 -key=clear-ecc.pem -outfile=enc-ecc.pem -outpass=badpassword
Create a CSR with a new key
tpppkis -create=csr -newkey=eccp256 -subject="CN=DemoSystem, O=Bartok, C=US" -sandns=demosystem.bartok.us,demosystem.bartok.de -usage=clientAuth -outfile=demosystem
Build a certificate authority and issue a certificate
tpppkis -create=cert -newkey=eccp521 -subject="CN=CA Certificate" -selfsign -isroot -usage=digitalsignature,crlsign,serverauth,clientauth,keyCertSign,keyEncipherment -outfile=ca -der
Create a PFX containing a private key and certificate
tpppkis -create=pfx -cert=endentity.cer -key=endentity.p8 -outfile=certpluskey -friendly=bob -addcert=intermediate.cer -addcert=ca.cer