Test the integration
Initialize the Certificate Authority
If you did not initialize the Certificate Authority at the end of the configuration process:
-
Open a Windows command terminal.
-
Initialize the Certificate Authority.
% cd "C:\Program Files\Entrust\Certificate Authority\bin" % entsh.exe -e "source \"C:\Program Files\Entrust\Certificate Authority\bin\FirstTimeInit.tcl\""
Launch the Certificate Authority shell
-
Open a Windows command terminal.
-
Launch the Certificate Authority shell.
% cd "C:/Program Files/Entrust/Certificate Authority/bin" % entsh.exe
Further commands during testing are executed inside this shell.
Verify the in-memory CA key cache
-
Launch the Certificate Authority shell.
-
Run the following command.
entsh$ ca key show-cache Master User Name: Master1 Password: **** In Memory CA cache **** Record Status Legend: C = current key H = key on hold A = non-current key X = revoked or expired non-current key has been obsoleted HWV1 = hardware key PKCS11 V1 *** NOT SUPPORTED *** HWV2 = hardware key PKCS11 V2 SW = software key ---------------------------------------------------- Internal key index: 1 CA certificate issued by: ou=CAentry,dc=entrustsm,dc=local serial number: 00B2247A87BD35D3DE1992761309984A1D current CA certificate: Y CA certificate issue date: Thu Oct 23 20:07:22 2025 CA certificate expire date: Tue Oct 23 20:37:22 2035 subject key identifier: 43E42F76EEA1B0CD3E0B739743A29832E39F1872 private key active: Y private key expired: N certificate expired: N certificate revoked: N revocation details: N/A key: RSA-2048 global signing policy: RSA-SHA256 (sha256WithRSAEncryption) record status in database: C HWV2 migrated: N hardware load error: N hardware CKA_ID: MrFc/z5l+9hIdD0lFGBBLWmskNE= hardware status: Loaded >> 'nCipher Corp. Ltd SN : 925f67e72ea3c354 SLOT : 761406614'. ---------------------------------------------------- **** End of In Memory CA cache **** ou=CAentry,dc=entrustsm,dc=local.Master1
Verify the hardware information
-
Launch the Certificate Authority shell.
-
Run the following command.
ou=CAentry,dc=entrustsm,dc=local.Master1 $ ca key show-cahw -type all EAC is not enabled. There is no associated cryptographic hardware for EAC. **** Hardware Information **** ---------------------------------------------------- Name: nCipher Corp. Ltd SN : 925f67e72ea3c354 SLOT : 761406614 Has current X.509 CA key: Y Load Status: hardware loaded ok Uses Password: Y DB protection HW: N In use for X.509 CA keys: Y In use for EAC keys: N ECDSA style: 4 (use raw digest padded to large digest size) ---------------------------------------------------- Name: nCipher Corp. Ltd SN : EMPTY_SN SLOT : 761406613 Has current X.509 CA key: N Load Status: hardware loaded ok Uses Password: N DB protection HW: N In use for X.509 CA keys: N In use for EAC keys: N ECDSA style: 4 (use raw digest padded to large digest size) ---------------------------------------------------- **** End of Hardware Information **** ou=CAentry,dc=entrustsm,dc=local.Master1
Import the CA key pair from software to hardware
The following steps import the Entrust CA key pair from software to the Entrust nShield HSM (from software to hardware).
-
Launch the Certificate Authority shell.
-
Run the following command. When prompted, select the nCipher slot as the destination for the new CA key.
For example:
ou=CAentry,dc=entrustsm,dc=local.Master1 $ ca key update Select the destination for the new CA key. Choose one of: 1. Software 2. nCipher Corp. Ltd SN : EMPTY_SN SLOT : 761406613 3. nCipher Corp. Ltd SN : 925f67e72ea3c354 SLOT : 761406614 4. Cancel operation > 3 If the cluster is running it will be stopped and the CA key updated. Do you wish to continue (y/n) ? [y] Checking cluster status... Stopping cluster... 100% complete. Estimated time remaining -:-:- / CA key and certificate successfully updated. Recovering CA profile... Starting cluster... CA profile successfully recovered. It is recommended that all revocation lists be re-issued. This can be done later with the 'rl issue' command. Re-issue revocation lists now (y/n) ? [y] Issuing CRLs, please wait ... 1 CRL(s) were issued. 1 ARL(s) were issued. 1 combined CRL(s) were issued. Publishing CRLs, please wait ... ou=CAentry,dc=entrustsm,dc=local.Master1 $ -
Notice the CA profile successfully recovered message above.
Export the CA key pair from hardware to software
The following steps export the Entrust CA key pair from the Entrust nShield HSM to software (from hardware to software).
-
Launch the Certificate Authority shell.
-
Run the following command. When prompted, select Software as the destination for the new CA key.
For example:
ou=CAentry,dc=entrustsm,dc=local.Master1 $ ca key update Select the destination for the new CA key. Choose one of: 1. Software 2. nCipher Corp. Ltd SN : EMPTY_SN SLOT : 761406613 3. nCipher Corp. Ltd SN : 925f67e72ea3c354 SLOT : 761406614 4. Cancel operation > 1 If the cluster is running it will be stopped and the CA key updated. Do you wish to continue (y/n) ? [y] Checking cluster status... Stopping cluster... 100% complete. Estimated time remaining -:-:- - CA key and certificate successfully updated. Recovering CA profile... Starting cluster... CA profile successfully recovered. It is recommended that all revocation lists be re-issued. This can be done later with the 'rl issue' command. Re-issue revocation lists now (y/n) ? [y] Issuing CRLs, please wait ... 1 CRL(s) were issued. 1 ARL(s) were issued. 1 combined CRL(s) were issued. Publishing CRLs, please wait ... ou=CAentry,dc=entrustsm,dc=local.Master1 -
Notice the CA profile successfully recovered message above.