token

Name

netid.exe -token – manage tokens from the command line

Synopsis

netid.exe -token [create …​]|[delete …​]|[reset …​]|[init …​]|[import …​]

Description

The token command manages the tokens from the command line. This is useful when no user interface is available. Most options are available using the Command utility , so it is probably better to use that option instead.

Options

create

The token create command creates a new soft token (VSC) or a new trusted platform module (TPM).

netid.exe -token create [-name <name>] [-token-type <type>] [-renew-mode <add|remove|backup>]
    [-pin-min <size>] [-pin-max <size>] [-pin-policy <policy>]
-name <name>

The name of the token. The name can be between 2 and 32 characters long.

-token-type <type>

TPM or VSC.

-renew-mode <add|remove|backup>

Gives the behavior if the token name already exists.

add

If the token already exists no new token is created.

remove

Remove and create new.

backup

Backup the old and create new. The backup name is the old name plus a timestamp. The token must be restored manually.

-pin-min <size>

Minimum number of characters or digits in PIN.

-pin-max <size>

Maximum number of characters or digits in PIN.

-pin-policy <policy>

Advanced PIN policy that is dependent of token type.

delete

The token delete command deletes a soft token (VSC) or a platform module (TPM).

netid.exe -token delete [-name <name>]
-name <name>

The name of the token. The name can be between 2 and 32 characters long.

reset

The token reset command resets any type of token. The reset means that all objects that can be updated using the normal PIN will be deleted. There can also be some extra updating if there is a reset profile defined in the configuration.

netid.exe -token reset [-slotid <slotid>] [-pin <pin>]|[-sokey <sokey>]
-slotid <slotid>

PKCS#11 slotID number.

-pin <pin>

Token PIN.

-sokey <sokey>

Some smart cards requires SO-KEY to be reset. For those tokens the -pin option can be replaced with the -sokey option.

init

The token init command initializes tokens that support initialize. The init means that all objects may be destroyed and the token is returned to pre-personalization state. This real meaning of the actual initialize will be depending on token and eventual initialize profile data.

netid.exe -token init [-slotid <slotid>] [-sokey <sokey>] [-puk <puk>]
    [-profile-name <configuration profile name>]
    [-profile-data <profile data blob>] [-pin-policy <pin-policy>]
    [-label <token label>] [-number <token number>]
-slotid <slotid>

PKCS#11 slotID number.

-sokey <sokey>

Some smart cards requires SO-KEY to be reset. For those tokens the -pin option can be replaced with the sokey option.

-puk <puk>

Token PUK value.

-profile-name <configuration profile name>

Depends on the token. Is provided by the development department.

-profile-data <profile data blob>

Depends on the token. Is provided by the development department.

-pin-policy <pin-policy>

Advanced PIN policy that is dependent on token type.

-label <token label>

The token label that describes the token.

-number <token number>

Token serial number.

import

The token import command imports a PFX/PKCS#12 file to a token.

netid.exe -token import [-slotid <slotid>] [-name <token name>] [-pin <pin>]
    [-password <password>] [-file <path>] [-label <label>] [-extractable]
-slotid <slotid>

PKCS#11 slotID number.

-name <token name>

The name of the token. The name can be between 2 and 32 characters long. Used if slotid is not specified.

-pin <pin>

PIN associated with the token.

-password <password>

Password used to protect PFX/PKCS#12 data.

-file <path>

Full path to PFX/PKCS#12 file.

-label <label>

Label used for certificate/private key.

-extractable

Make the private key extractable

It is not recommended to make the private key extractable.