Skip to main content

Testing & Troubleshooting CNG/KSP Provider

CNG/KSP Test Tool

Note

This tutorial applies to ksputilcons.exe; V1.35 and later

In addition to the Microsoft Windows certificate tools (e.g. CertMgr, CertUtil), the ksputilcons.exe tool:

  • facilitates independent testing of the Securosys CNG/KSP provider, and
  • helps resolve Key Accessibility issues, such as upgrade incompatibility or transferring accounts between domains.

The tool is installed within the %ProgramFiles% folder:

"%ProgramFiles%\Securosys\PrimusHsmKsp\ksputilcons.exe"

The tool provides the following command line options1:

ksputilcons help                                            Display help text
ksputilcons hsmstatus [-v -p <provider>]                    HSM connection status
ksputilcons enumprovs [-v]                                  Enumerate all CNG providers
ksputilcons enumalgs [-v -p <provider>]                     Enumerate algorithms
ksputilcons enumalgops [-v -p <provider>]                   Enumerate algorithm operations
ksputilcons enumkeys [-v -m -a -p <provider>]               Enumerate keys
ksputilcons createtestkey [-v -m -p <provider>]             Create test key
ksputilcons deltestkey [-v -m -p <provider>]                delete test key
ksputilcons chkeysowner <name\> <oldowner\> <newowner\>     [-v -p <provider>
 --passwd <password>] Change the key owner (KeyPrefix)

Connection Status and Details

The command ksputilcons hsmstatus offers a convenient method to verify whether the CNG/KSP configuration is complete, ensure connectivity to the HSMs, and check the HSM firmware version:

ksputilcons hsmstatus [-p <provider>]

Getting status. Please wait .....

-----------------------------------
HSM Identifier: DevSystem DEMO-TEST
----------------------------------

+ Configuration
Is complete:                                YES
Host address:                               grimsel.securosys.ch::2320
Device name:                                GRIMSEL
Is sufficient to connect:                   YES

+ HSM info
Device name:                                GRIMSEL
Firmware version:                           RX-2.8.0-T

+ Connection
Succeeded:                                  YES
Protocol version:                           2.5
FIPS compliant login:                       YES
Elliptic curve cryptography:                YES
HASH/HMAC key derivation functions:         YES
SP800-56A key derivation function:          YES
------------------------------------


Enumerate all CNG keys

The following command options enable enumeration of all CNG keys, regardless of the user scope (option ‑a, administrator rights required), as well as key capabilities and flags (option ‑v; see help option for details).

ksputilcons enumkeys -a -v [-p <provider>]

Enumerating. Please wait .................................................

--------------------------------------------------------------------
Owner: S-1-5-21-3913189663-3851414020-2755702806-1111 (Current User)
--------------------------------------------------------------------

+ Key name:                                 ExportCertx2.hsmdemo.test-fbaed98e-2ec2-434f-be62-7aa57bbd40b3
Algorithm, size, type:                      RSA, 2048 bit, PublicKey
Capabilities:                               Encrypt, Verify, Wrap
Access:                                     Modifiable, Copyable, Pkcs11Public
Creation date/time:                         2019-02-19 17:16:14

+ Key name:                                 ExportCertx2.hsmdemo.test-fbaed98e-2ec2-434f-be62-7aa57bbd40b3
Algorithm, size, type:                      RSA, 2048 bit, PrivateKey
Capabilities:                               Decrypt, Sign, Unwrap
Access:                                     Extractable, Modifiable, Copyable, Pkcs11Private
Creation date/time:                         2019-02-19 17:16:14


-----------------------------------------------------
Owner: S-1-5-21-3913189663-3851414020-2755702806-1112
-----------------------------------------------------

+ Key name:                                 ExportCertx2.hsmdemo.test-fbaed98e-2ec2-434f-be62-7aa57bbd40b3


Change Key Accessibility

The following command option allows to rename the keyPrefix of a specific key to resolve key accessibility issues (learn more). This may be necessary due to upgrade incompatibility or moving accounts into or out of domains.

Only keys having the flag "Modifiable" set can be renamed.

The procedure is as follows:

  1. Open a command shell (cmd) with administrator rights
  2. Determine the existing SID (<oldowner>) of the key, using key enumeration option (see 5.3.2) and check that the "Modifiable" flag is set: ksputilcons.exe enumkeys -a -v
  3. Determine the SID (<newowner>) of the new account, e.g.:
  • of the current user: wmic useraccount where name='%username%' get caption,sid
  • of all users: wmic useraccount get caption, sid
  • of well-known accounts (see chapter Key Access or Windows SID documentation)
  • of the machine using psgetsid.exe from SysInternal tools:
    • of local machine: psgetsid
    • of machine in Active Directory psgetsid %computername%$
  • Rename the key prefix with the following command option (see help option for details):
 ksputilcons chkeysowner <keyname> <oldowner> <newowner> [-v --passwd <password>]

Example:

ksputilcons chkeysowner CNGTestKey S-1-5-21-3913189663-3851414020-2755702806-1111
 S-1-5-21-3913189663-3851414020-2755702806-1104

Footnotes

  1. Provider instance parameter [-p <provider>] is required only if multiple instances are installed (CNG V1.40 or newer)