CSPConfig.exe configuration utility reference
Synopsis
CSPConfig [command] [--options]
Configuration commands
Command |
Description |
---|---|
Checks the current grant status. |
|
Obtains a new grant or refreshes a grant. |
|
Sets a grant by providing an authentication token. |
|
Revokes a grant. |
|
Manages trust for virtual HSM and authentication server access. |
|
Sets the virtual HSM and authentication server URLs. |
|
General configuration management. |
|
Sets HTTP proxy options. |
|
Resets the client configuration. |
|
Updates the CodeSign Protect client. |
Signing and verification commands
Command |
Description |
---|---|
Lists all available objects. |
|
Create a signature for a file. |
|
Verify a file signature. |
|
Sign a token for use with JWT. |
|
Verify a JWT. |
Common commands
Command |
Description |
---|---|
Synchronizes local data with the service backend. |
|
Removes local data. |
|
Retrieves a certificate. |
|
Retrieves the public key of a certificate. |
|
Uploads a certificate, key pair, or both to a per-user environment. |
|
Trace settings for troubleshooting |
|
health |
Checks client configuration health. No additional options. |
version |
Displays the version number and build timestamp. No additional options. |
help |
Displays general usage information. To get specific command help, run CSPConfig [command] -h. |
Options
checkgrant
options
Checks if the system has a valid grant and displays grant information.
Option |
Description |
---|---|
--days:<d> |
Grant is not considered valid if it expires within <d> days. |
--machine |
Uses the machine grant rather than the user grant. |
Return code 0 indicates a grant has been configured
Return code 1 indicates a missing or expired grant
This command is designed to allow automated systems, such as a builder or monitoring system, to programmatically check if the grant is still valid in preflight checks.
getcertificate
options
Retrieves a certificate and/or certificate chain. Use the list
command to obtain list of available certificates.
-
If the --chainfile and --file argument specify the same filename, the certificate will be stored first in the file, followed by the chain and PEM format will be used, ignoring any --format setting.
-
This command is useful when using signing applications that require the certificate in a file on the signing server. See also getpublickey.
-
Run
CSPConfig getcertificate
with no options to invoke interactive mode.
Option |
Description |
---|---|
--filename:<file> |
Output file for the certificate. |
--chainfile:<file> |
Output file for the certificate chain (PEM format only). |
--format:<format> |
Output file format (default is PEM). Options: |
--label:<label> |
Label of the certificate to retrieve. |
--rootfirst |
Writes the root first when writing the chain. The default is to write the intermediate first. |
--split |
Splits the chain into separate files, one certificate per file. Inserts a number before the extension, if one is provided. |
--force |
Overwrite the output files if they already exist. |
--machine |
Uses the machine grant rather than the user grant. |
getgrant
options
Obtains a code signing grant from the authentication server.
-
If a refresh token is stored, it will be used to renew the grant, ignoring any other provided credentials, unless
-force
is used. -
Run
CSPConfig getgrant
with no options to invoke interactive mode. -
Credentials may be specified with the
-autologon
argument, with the-username
and-password
arguments, or with the-jwtfile
argument. -
If URL arguments are specified, the given URL(s) will be configured and used to obtain the grant.
TIP Use the following command for a quick start on getting a grant:
CSPConfig getgrant -hostname:<codesign-protect-hostname> -username:<user> -password:<pw>
Option |
Description |
---|---|
Authentication options |
|
--username:<user> |
Authentication username. |
--password:<pw> |
Authentication password. |
--jwtfile:<jwt> |
Name of the file that contains a signed JWT (replaces username and password). A JWT Mapping must first be created in Trust Protection Platform. |
--autologon |
Authenticates using the credentials that were used to log on to the local system. Replaces username/password and jwtfile arguments. |
Proxy options |
|
--proxymode:<mode> |
Enables or disables using a proxy server for communication. Available modes: |
--proxyurl:<url> |
URL of the proxy server to use. Implies |
--noproxy=<list> |
A list of host names that should not use the proxy. |
URL options |
|
--hostname:<hostname> |
Automatically detects and sets URLs using the specified Venafi CodeSign Protect host name. |
--authurl:<url> |
Sets the authentication server URL (example: |
--hsmurl:<url> |
Sets the virtual HSM backend URL (example: |
--updateurl:<url> |
Sets the client update server URL (example: |
Advanced options |
|
--force |
Forces getting a new grant; never refreshes. |
--machine |
Requests a grant for the machine rather than a user. Before using this option, review Local machine grant. |
getpublickey
options
Retrieves the public key of a certificate. Use the list
command to obtain list of available certificates. This command is useful when using signing applications that require the public key in a file on the signing server. See also getcertificate
.
Run CSPConfig getpublickey
with no options to invoke interactive mode.
Option |
Description |
---|---|
--filename:<file> |
Output file for the public key. |
--format:<PEM|DER> |
Output file format (Default: PEM). |
--label:<label> |
Label of the public key to retrieve. |
--force |
Overwrite the output files if they already exist. |
--machine |
Uses the machine grant rather than the user grant. |
jwtsign
options
Sign a token for use with JWT.
Run CSPConfig jwtsign
with no options to invoke interactive mode.
Option |
Description |
---|---|
--header:<header> | File containing Header for JSON Web Token. |
--payload:<payload> | File containing Payload for JSON Web Token. |
--output:<file> | Filename to store the signature in. |
--label:<label> | Label of the key to use for signing. |
--machine |
Uses the machine grant rather than the user grant. |
jwtverify
options
Verifies a signed JWT Token signed by the jwtsign
command.
Run CSPConfig jwtverify
with no options to invoke interactive mode.
NOTE This command cannot verify a signature created with external tools
Option |
Description |
---|---|
--filename=<file> | File to verify. |
--label=<label> | Label of the key to use for verification. |
--keysize=<size> | The size of the key that was used to sign the
JWT
(Options: 256 , 384 , 512 ). |
--machine |
Uses the machine grant rather than the user grant. |
list
options
Displays a list of all available objects. Defaults to listing certificates and public keys from all available environments.
This command can be used to obtain the --label name that other commands require.
NOTE If list
has a filter applied, only the objects that match the filter will be returned. A notice will appear at the bottom of the results if a filter is applied. Filters are created using the option
.
Option |
Description |
---|---|
--env:<env-list> |
Only show environments of types specified (options: |
--type:<type-list> |
Only show objects of types specified (options: |
--sort=<column> |
Sort on the specified column (options: |
--grouped |
Group related objects |
--table |
Output in table format. |
--number |
Display a number for each item. |
--reverse |
Reverse the sort order. |
--force |
Do not wait and reload if objects are pending creation. |
--machine |
Lists objects available to the machine, not a specific user. |
option
options
Manages configuration options. Provides direct management of all configuration options, including options set through other commands.
Creates filters to apply when using list
. Example filter:
CSPConfig option --name:"Filter Name" --value:"<environment-label>"
Option |
Description |
---|---|
--clear |
Clears the value for <name>. |
--show |
Displays the value for <name> or all if no -name specified. |
--name:<name> |
Name to set, show, or clear. |
--value:<value> |
Value to set. |
--machine |
Performs configuration options for the machine rather than the user. |
proxy
options
Configures proxy settings to use when communicating with backend APIs.
Run CSPConfig proxy
with no options to invoke interactive mode.
Option |
Description |
---|---|
--proxymode:<mode> |
Enables or disables using a proxy server for communication. Available modes:
|
--proxyurl:<url> |
URL of the proxy server to use. Implies |
--noproxy:<url> |
A list of host names that should not use the proxy. |
--show |
Displays current proxy settings. |
--machine |
Modifies the machine configuration rather than the user configuration. |
reset
options
Resets the client configuration.
Option |
Description |
---|---|
--all |
Reset the configuration for all CodeSign Protect client stores on this system. |
--current |
Reset only the configuration for the current client (default). |
--preserve |
Preserve the configured URLs. |
--machine |
Resets the machine configuration. |
revokegrant
options
Revokes any configured grants.
Option |
Description |
---|---|
--clear |
Completely removes any stored configuration after revoking the grant. |
--force |
Forces grant revocation without confirmation. |
--machine |
Revokes the local machine grant rather than the current user grant. |
setgrant
options
Sets the grant using an authentication token that has already been obtained from the authentication server.
-
If a refresh token is provided, it will be used to renew the grant, ignoring any other provided credentials, unless
-force
is used. -
Run
CSPConfig setgrant
with no options to invoke interactive mode. -
If URL arguments are specified then the given URL(s) will be configured and used to verify and refresh the grant.
Option |
Description |
---|---|
Authentication token options |
|
--refresh:<token> |
Refresh token |
--token:<token> |
Authentication token |
Proxy options |
|
--proxymode:<mode> |
Enables or disables using a proxy server for communication. Available modes: |
--proxyurl:<url> |
URL of the proxy server to use. Implies |
--noproxy=<list> |
A list of host names that should not use the proxy. |
URL options |
|
--hostname:<hostname> |
Automatically detects and sets URLs using the specified Venafi CodeSign Protect host name. |
--authurl:<url> |
Sets the authentication server URL (example: |
--hsmurl:<url> |
Sets the virtual HSM backend URL (example: |
--updateurl:<url> |
Sets the client update server URL (example: |
Advanced options |
|
--force |
Forces getting a new grant; never refreshes. |
--machine |
Sets the grant for the machine rather than the user. Before using this option, review Local machine grant. |
seturls
options
Configures the CodeSign Protect and authentication server URLs. This command is useful to change existing server URLs if the authentication server or virtual HSM URLs change.
Run CSPConfig seturls
with no options to invoke interactive mode.
Option |
Description |
---|---|
URL options |
|
--hostname:<hostname> |
Automatically detects and sets URLs using the specified Venafi CodeSign Protect host name. |
Advanced options |
|
--authurl:<url> |
Sets the authentication server URL (example: |
--hsmurl:<url> |
Sets the virtual HSM backend URL (example: |
--updateurl:<url> |
Sets the client update server URL (example: |
--machine |
Sets URLs for the machine configuration rather than the user configuration. |
sign
options
Creates a signature for a file using the CodeSign Protect server directly.
Run CSPConfig sign
with no options to invoke interactive mode.
NOTE This command will hash the specified file, sign the hash and store the raw resulting signature. The format of the signature is intended to test key access only and is not compatible with most other tools.
Option |
Description |
---|---|
--file:<file> |
File to sign. |
--label:<label> |
Label of the key to use for signing. |
--output:<file> |
Filename to store the signature in. |
--force |
Overwrite the output file if it already exists. |
--machine |
Uses the machine grant rather than the user grant. |
storekey
options
Stores the private key along with the matching public key or certificate on the server and associates it with the environment specified with -label
.
Option |
Description |
---|---|
--label:<label> |
The label of the target environment. |
--context:<ctx> |
The context of the key to store, if the environment holds multiple keys. |
--password:<pw> |
The password needed to decrypt the private key file. |
--private:<file> |
The file containing the private key (PFX/P12 or PEM format). If uploading a PEM, the Private Key and Certificate must be in separate files. |
--public:<file> |
The file containing the public key or certificate (PEM format). |
--force |
Accept all warning prompts. |
--machine |
Uses the machine grant rather than the user grant. |
sync
options
Synchronizes the Windows certificate store with the CodeSign Protect server.
Option |
Description |
---|---|
--machine |
Syncs the machine grants instead of the user grants. |
trace
options
Manages settings for diagnostics and troubleshooting.
Option |
Description |
---|---|
--console |
Enable/disable applies to console. |
--log |
Enable/disable applies to trace log. |
--disable |
Disables console or file tracing. |
--enable |
Enables console or file tracing. |
--filename:<file> |
Sets the trace file path and filename prefix. |
--output:<out> |
Sets the console output target. Can be |
--show |
Shows existing trace settings. |
--machine |
Sets the trace options for the machine. |
trust
options
Manages certificate trust store. Trust is required to communicate with the CodeSign Protect server.
Option |
Description |
---|---|
--check |
Checks if the configured CodeSign Protect is trusted. |
--delete:<name> |
Delete certificate with subject containing <name>. |
--filename:<file> |
PEM certificate file to import certificates from. |
--force |
Forces import without confirmation. |
--hostname:<url> |
Host name or URL to retrieve certificates from. |
--show |
Shows existing certificates in trust store. |
--machine |
Manages trust for the machine. |
unsync
options
Removes synchronized local data from the Windows Certificate Store.
Option |
Description |
---|---|
--machine |
Removes synced data from the machine store rather than the user store. |
update
options
Updates CodeSign Protect clients. Requires the Code Signing Client Distribution component be active.
Option |
Description |
---|---|
--latest |
Download and install the latest available version, unless it is already installed. |
--architecture:<arch> |
Override the detected architecture. Available values: |
--type:<type> |
Override the detected package type. Available types: |
--out:<file> |
Store the package in the specified output directory and do not install it. |
--updateurl:<url> |
Client update server URL. |
verify
options
Verifies a signature created by the sign
command.
Run CSPConfig verify
with no options to invoke interactive mode.
NOTE This command cannot verify a signature created with external tools
Option |
Description |
---|---|
--filename:<file> |
File to verify. |
--input:<file> |
File name that holds the signature. |
--label:<label> |
Label of the key to use for verification. |