Command utility

The Command utility is a tool for the command line or shell to provide some basic diagnostic and management abilities. For more information about the commands below, see Net iD Client CLI commands.

When running the command utility as an administrator, options for virtual tokens are available.

Synopsis

$ netid.exe -command

Options

==============================================================================
 Net iD 1.0
==============================================================================

 Command Tool Menu:

    [0] Quit    - Quit with no action
    [1] System  - View system information
    [2] View    - View token information
    [3] List    - List token objects
    [4] Token   - Manage token
    [5] PIN     - Manage token credentials
    [6] Utility - Utility commands

 Select:

1 — System

The system command gives information about the current system.

------------------------------------------------------------------------------

System information:

    Version  - Net iD 1.0.0.12
    System   - Microsoft Windows 10 - 1909
    Engine   - Microsoft Primitive Provider

    User     - SYSTEM
    Computer - SM-USER
    UniqueId - 9C:7B:EF:9E:A5:CC

------------------------------------------------------------------------------
Version

The current version of the Client.

System

The platform name and version.

Engine

An optional cryptographic engine that will be used instead of internal.

User

The current logged on user.

Computer

The name of the current device.

UniqueId

The unique identifier for the device.

The information shown is based on the execution environment of the Client core (PKCS#11 library). This may be different from the execution environment that you are running the command utility when you have activated remote/virtual PKCS#11.

2 — View

The view command shows information about the token.

------------------------------------------------------------------------------

Token Information

    Label:        NIST SP 800-73 [PIV]
    Number:       9801 1000 0001 2345
    Model:        YubiKey 4.3.5
    Manufacturer: Yubico
    Update count: 00 00 2001 0800
    Status:       Open (0/512)
    Slot:         Yubico Yubikey 4 OTP+U2F+CCID 0 (10)

------------------------------------------------------------------------------
Label

The token label.

Number

The token number.

Model

The token model.

Manufacturer

The token manufacturer.

Update count

The update counter for token. The value depends on token type and the only good interpretation is that all possible caching should be thrown away when the value changes.

Status

The current token status on the form:
Status: <token status> <PIN status> <open sessions>

token status
  • Open — logged in

  • Closed — not logged in.

PIN status (if any)
  • PIN COUNT LOW

  • PIN FINAL TRY

  • PIN LOCKED

open sessions

Number of open sessions and maximum number of sessions towards PKCS11. For more information, see MaxSession and MaxContexts.

Slot

The token slot name with token slot ID in parentheses.

3 — List

The list command shows information about token objects and should be easy to understand.

------------------------------------------------------------------------------

 Certificates

    [00] Label:       'Sylvia Trench (SecMaker CA v3)'
         Name:        'Sylvia Trench, 005, SecMaker AB'
         Validity:    2018-10-01 > 2020-09-30
         Thumbprint:  8F7A44C1B7B97189D21EAE9996B84EB303B8D3CE
         Key ID:      9A
         Modifiable:  false

------------------------------------------------------------------------------

 Private Keys

    [00] Label:       'PIV Authentication Key'
         Key ID:      9A
         Sign:        true
         Decrypt:     true
         Unwrap:      true
         Derive:      false
         Extractable: false
         Modifiable:  false
         Type:        rsa-2048

------------------------------------------------------------------------------

 Public Keys

    [00] Label:       'X.509 Certificate for PIV Authentication'
         Key ID:      9A
         Verify:      true
         Encrypt:     false
         Wrap:        true
         Derive:      false
         Modifiable:  false
         Type:        rsa-2048

------------------------------------------------------------------------------

4 — Token

The token command is used to manage the token. It is a more user-friendly version of the command line token command. See token for more information.

------------------------------------------------------------------------------

 Manage token:

    [0] Initialize - Initialize an existing token
    [1] Reset      - Reset an existing token
    [2] Create     - Create a new token
    [3] Delete     - Delete an existing token
    [4] Counter    - Reset token update counter
    [5] Abort

------------------------------------------------------------------------------

5 — PIN

The PIN command is used to manage the token credentials. All options are available, even those not supported by a specific token, to allow override of bad configuration.

------------------------------------------------------------------------------

Manage token credentials:

    [0] Login PIN    - Login token with PIN
    [1] Login SOKEY  - Login token with SO-KEY
    [2] Logout       - Logout token
    [3] Change PIN   - Change token PIN
    [4] Change PUK   - Change token PUK
    [5] Change SOKEY - Change token SO-KEY
    [6] Unlock PIN   - Unlock token PIN
    [7] Abort

------------------------------------------------------------------------------

6 — Utility

------------------------------------------------------------------------------

Select action:

    [0] List CAPI     - List certificate in CryptoAPI store
    [1] Register CAPI - Register certificate to CryptoAPI store
    [2] Abort

------------------------------------------------------------------------------

The current status of certificate registration to CryptoAPI is not easy to see, although the functionality to dump this to trace from the command line has been added. The same problem is for registration. The actions above are the same command line arguments as mentioned earlier, but presented more user-friendly:

$ netid.exe -capi dump
$ netid.exe -capi move
$ netid.exe -csp move
$ netid.exe -ksp move