Entrust PKI Hub 1.0 - Installation and Administration Guide [PDF]

Debugs all the components of the EVA deployment.

evactl check all [-c <tls_ca_path>] [-i <cert_id>] [-l <level>] [-p <pin>] [-v <vendor>] [-t <token>]

For example:

$ sudo ./evactl check all
Starting PKCS #11 Manager...               Done
===============================================
CHECKING HSM
===============================================
 
        Slot Id ->              0
        Label ->                pking203
        Serial Number ->        1433959427612
        Model ->                LunaSA 7.2.0
        Firmware Version ->     7.0.3
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot
        FM HW Status ->         FM Ready
 
        Slot Id ->              1
        Label ->                pking202
        Serial Number ->        1433964084224
        Model ->                LunaSA 7.2.0
        Firmware Version ->     7.0.3
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot
        FM HW Status ->         FM Ready
 
 
        Current Slot Id: 0
 
Passing HSM checks...                      Done
 
===============================================
CHECKING DB
===============================================
Starting Configurator...                   Done
Checking DB user privileges...             Done
Checking DB tables...                      Done
 
===============================================
CHECKING CAGW
===============================================
 
CAID: intminions~subordinate
  Checking CAGW is reachable...            Done
  Checking configured CA...                Done
 
===============================================
 
Tests passed successfully

See below for a description of each parameter.

-c <tls_ca_path>

Validate the TLS server certificate of CA Gateway with <tls_ca_path>. Where <tls_ca_path> is the path of a CA file in PEM format.

Mandatory: No. When omitting this option, the command uses the CA configured in TLS CA certificate.

-i <cert_id>

Authenticate in CA Gateway with the <cert_id> certificate, where <cert_id> is a certificate identifier.

Run the evactl list-certs command to list the available certificate identifiers.

Mandatory: No. This optional parameter defaults to the latest client certificate imported as explained in Importing the CA Gateway client certificate.

Run the evactl list-certs to command to check the latest imported certificate.

-l <level>

Debug the nShield HSM with the <level> level, where <level> is a CKNFAST_DEBUG variable level. When not using a nShield HSM, the command ignores this option.

See the nShield documentation for details on the CKNFAST_DEBUG configuration parameter.

Mandatory: No. This optional parameter defaults to 0.

-p <pin>

Authenticate in the HSM with the <pin> PIN.

Mandatory: No. When omitting this option, the command looks for the PIN in the application secrets. If not found, prompts the user for the PIN.

-v <vendor>

Use the <vendor> security module. See the following table for the supported values.

Vendor	Security module
none	Built-in software PKCS #11 module.
nshield	nShield HSM. See HSM requirements for the supported models.
thales	Thales HSM. See HSM requirements for the supported models.

It is recommended to select a Hardware Security Module (HSM).

Mandatory: No. When omitting this option, the command assumes the value of the Vendor configuration parameter.

The command will raise an error if you omit this option and the configuration is not loaded.

-t <token>

Select the HSM token with the <token> label.

Mandatory: No. When omitting this option, the command uses the value of the Token label configuration parameter.

The command will raise an error if you omit this option and the configuration is not loaded.