TrustPort eSign PRO: Command Line - Working with LDAP and hybrid storages

Specifying the program mode

This can be done through -m mode_shortcut or --mode=mode_shortcut . Mode is one of the following values:

  • enc ... encrypt file,
  • tsa ... creates a time stamp,
  • tst ... create file with its time stamp.

Specifying storage type

For specifying storage type, -c storage_type or --choosestorage=storage_type parameters are available, where storage_type is one of the following values:

Specifying the storage

May be done with -l storage_name or --localstorage=storage_name command line parameter. It's not a local storage type, so the type specification is also needed ( -c parameter).

Example of encrypting file through token: esign -f file.txt -l LDAP -c hybrid -m enc .

Adding a storage

Using the -A storage_name or --addstorage=storage_name a new storage may be added.

If you want to add a hybrid storage, append the -c type parameter to specify the storage type. You can enter path to such hybrid storage with -S address or --addressport=address . If you do not enter a port number, a default 389 will be used.


  • adding new LDAP hybrid storage: esign -A "new LDAP storage" --addressport= -H ldap -c hybrid .
  • adding new MS hybrid storage: esign -A Personal -H ms --addressport=MY -c hybrid .

The hybrid storage type

Parameter -H hybrid_storage_type or --hybridtype=hybrid_storage_type lets you choose the hybrid storage type. Supported types are ms - Microsoft Storage and ldap (Light Directory Access Protocol).

Removing a storage

Unnecessary storages can be removed. To remove storage use -D storage_name or --deletestorage=storage_name parameter. However, storage type and its alias must also be given.

Example: esign -D "my_new_storage" .

Exporting to a file

From storage, objects may be exported to files of various types. One certificate may be exported into .CER, .BIN or .PEM. One or more certificates may be exported into .P7C or .P7B . key pair can be exported into .P12 or .PFX , the types protected by password.

Exporting can be commenced through -e filename or --export=filename parameter, where filename specifies name of resulting file where object(s) will be exported to. Select type of the file with -T type or --filetype=type . You can select even internal file format with -F filetype or --filetype=filetype - possibilities are BASE64, BASE64 with trailers or binary (default). Example: esign -e key_pair.p12 -T p12 -F TRAIL -c hybrid .

Displaying information about an object

Parameter -d or --details is useful for listing the details of an object. For hybrid storages of LDAP type a pattern specifying parameter must be given. Example: esign -d -O DSA -l MyLDAP .

Operations not permitted over a default storage

A hybrid storage is accessible for certificate provider only, thus some operations are not allowed:

  • Displaying contents of LDAP storage
  • - because of security reasons, it's not possible to display contents of an LDAP storage. Microsoft storages however support this operation,
  • Importing a file into a storage
  • - not allowed for either type,
  • Generating a key pair
  • - not allowed into either type,
  • Arbitrary signing operation
  • - a hybrid storage doesn't provide private keys, so it is not possible make any signing operation over such storage,
  • Applying CRL
  • - it's not possible to write into hybrid storage,
  • Deleting a certificate or change of alias
  • - the same reason,
  • Searching
  • by any other criterion than CommonName or Email.

Related references

Main Page
Command Line
Operations over files
Operations over storages
Operations over tokens and chip-cards

Copyright 2010, TrustPort, a.s., All rights reserved.