PKCS #11 information utility.

Do not use PKCS #11 to perform any task that requires an Administrator Card. Use the equivalent nShield utilities instead.

For instructions how to verify the installation of the nShield PKCS #11 libraries, see Checking the installation of the nCipher PKCS #11 library.

Option Description

-s, --slot=SLOT

Uses slot SLOT for tests rather than prompting.

-p, --pin=PIN

Uses PIN for the slot rather than prompting.

[WARNING] This will expose the PIN to other users of your system.

Help options

-h, --help

Displays help for ckcheckinst.

-u, --usage

Displays a brief usage summary for ckcheckinst.

-V, --version

Displays the version number of the Security World Software that deploys ckcheckinst.

ckcheckinst output examples: Security World validity

If you have an invalid Security World (for example, if all your HSMs are in the initialization state), ckcheckinst quits with the following error message:

ckcheckinst: C_Initialize failed rv = 00000006
Is the security world initialized? (Use nfkminfo to check)

If your Security World is valid, ckcheckinst displays information similar to the following:

PKCS#11 library interface version 2.40
 flags 0
 manufacturerID "nCipher Corp. Ltd "
 libraryDescription "nCipher PKCS#11 1.#.# "
 implementation version 1.##
 Load sharing and Failover enabled

slot Status Label
===== ====== ===== 0 Fixed token "accelerator "
1 Operator card "card2 "
2 Operator card "card3 "
Select slot Number to run library test or 'R'etry or to 'E'xit:

In this example output:

  • PKCS #11 library interface version 2.40 refers to the version of the PKCS #11 specification supported

  • implementation version 1.## refers to the version of the nCipher PKCS #11 library

  • Loadsharing and Failover enabled is shown if load-sharing has been enabled. Alternatively Pool mode enabled is shown if Pool mode has been enabled.

Slots that contain a valid Operator Card are indicated by the status Operator card and the card’s label. A fixed token is always available and is listed as slot 0.

ckcheckinst output examples: invalid cards

If you insert a blank card or an unrecognized card (for example, an Operator Card from a different Security World or an Administrator Card), this is indicated in the Status column. The corresponding slot number is not available.

If you are using the preload command-line utility in conjunction with the nShield PKCS #11 library, you can only see the token that you loaded with the preload utility. In load-sharing mode, the loaded card set is used to set the environment variable CKNFAST_CARDSET_HASH, so only this card set is visible as a slot.

If there is no card in a slot, ckcheckinst displays No token present beside the relevant slot numbers. ckcheckinst gives you the following choices:

No removable tokens present.
Please insert an operator card into at least one available slot and
enter 'R' retry.
If you have not created an operator card or there are no physical slots, enter a fixed token slot number,
or 'E' to exit this program and create a card set before continuing.

If there are no available slots with cards in them, you can choose one of the following actions:

  • Insert a valid Operator Card, and press R

  • choose a fixed token slot

  • Press E to quit, then create an OCS, and run ckcheckinst again.

When there is at least one slot with a valid token, input a slot number, and press Enter. In a FIPS 140 Level 3 compliant Security World, ckcheckinst prompts you to enter the passphrase for the selected Operator Card. Type the passphrase, and press Enter.

ckcheckinst displays the results of the tests:

Test Pass/Failed
---- -----------
1 Generate RSA key pair Pass
2 Generate DSA key pair Pass
3 Encryption/Decryption Pass
4 Signing/Verify Pass
Deleted test keys ok
PKCS11 Library test successful.

If any tests fail, ckcheckinst displays a message indicating the failure and quits. It does not run any subsequent tests.

If ckcheckinst fails:

  • Check that the hardserver is running

  • Use the enquiry and nfkminfo world.