TrustPort eSign PRO: Command line - Operations over tokens and chip-cards

Specifying the program mode

As usually, this is done through -m mode_shortcut or --mode=mode_shortcut . Mode shortcut is one of:

  • sgn ... signs a file,
  • enc ... encrypts a file,
  • sge ... signs and encrypts a file,
  • dec ... decrypts and/or verifies a file,
  • esg ... creates extra signature,
  • tsa ... creates a time stamp,
  • sgt ... signs with a time stamp,
  • tst ... creates a file with its time stamp,

Specifying storage type

For specifying storage type, -c storage_type or --choosestorage=storage_type parameters are available, where storage_type is one of the following values:

Specifying the storage

May be done with -l storage_name or --localstorage=storage_name command line parameter. It's not a local storage type, so the type specification is also needed ( -c parameter).

Example of encrypting file on token: esign -f file.txt -l iKey -c token -m enc .

Adding a storage

It is important to realize that this operation depends on storage type. It's not possible to add tokens or chip-cards in the manner similar to adding a local storage, because these devices are added by operating system automatically. You of course should have device drivers and appropriate eSign PRO libraries to communicate with the device installed.

Removing a storage

As for storage adding, neither removing is possible.

Listing storage contents

For listing a storage contents use the --storagecontent parameter, e.g. esign -l "storage_name" --storagecontent -c token .

Importing a file into storage

It's possible to import objects inside a file of supported type into a token. Supported file types are: .CER , .BIN or .PEM with recipient's certificate, .P7C or .P7B with one or more recipient's certificates and .P12 or .PFX with a key pair. The parameter for importing is -i -f file_name or --import --file=file_name , e.g. esign -i -f keypair .p12 --password . However, only supported algorithms and key pairs may be imported. The list of them can be obtained via the --storageinfo parameter, e.g. esign --storageinfo -c token or esign --storageinfo --choosestorage=token .

Exporting into a file

It is possible to export an object into a file of various types. One certificate may be exported into .CER , .BIN or .PEM file. One or more certificates can be exported into a .P7C or .P7B file. Types .P12 and .PFX are protected by password and can be used to hold a key pair. Exporting itself is done through -e -f file_name or --export --file=file_name , where the file_name parameter specifies the name of file you want to export objects into. Use -T type or --filetype=type to choose the type of that file, where type determines type of resulting file. It's possible to choose internal filetype too. Default internal type is binary, but using -F filetype or --filetype=filetype you can choose BASE64 or BASE64 with trailers. Example (exporting into file key_pair.p12): esign -e -f key_pair.p12 -T p12 -F TRAIL -c token .

Before exporting, you can also use the -O parameter to precise information about the object.

Displaying object details

Use -d or --details parameter to make the program output object details. With -O pattern it's possible to more precisely specify object you are interested in and the -T type parameter lets you choose the type of object (private key, certificate, CRL). Example: esign -d -O DSA -l storage -T key -c token .

Obtaining storage contents

If you need to know the contents of a storage, use --storagecontent , e.g. esign -l "my_storage" --storagecontent .

Generating key pair or a certificate request

With parameter -g or --generate a new object can be generated. You can affect resulting key pair or certificate request with specifying further details, like name of the private key or certificate, its algorithm or way of generating.

Special feature of tokens is that you can use the by-storage generating method, which generates a private key directly on a token or a chip-card, which is much more secure. Example: esign -g -K key_alias -E certificate_alias -k 1024 -b DSA -G by-storage -l iKey -c token .

All the parameters mentioned in Operations on local storages may also be used, but it is advisable here to pay attention to supported algorithms and key-lengths for given token or chip-card, e.g. iKey supports only RSA with key 512, 768 or 1024 bits long and 1024 bits long DSA key.

Creating a substitution key

When a key pair is generated on token, a substitution key is generated too and the certificate is copied into the default storage so the key pair is eventually usable for signing a file. For changing location of the substitution key (or his name perhaps), use -U argument or --substituteobject=argument . Value argument may contain a storage name or a storage name followed by a substitution key name respectively. For example esign -g -c token -U "my_storage" or esign -g -c token -U "my_storage:substitution key" .

In case you already have some private key pair prepared on token and you want to make a substitution key for it, use this parameter in the same way. Example: esign -c token -l iKey -U "my_storage:substitution key" -O key_token1 .

Related references

Main Page
Command Line
Operations over files
Operations over storages
Working with LDAP and hybrid storages

Copyright 2010, TrustPort, a.s., All rights reserved.