Utilities

Use the nfkmverify command-line utility to check the security of all stored keys in the Security World. Use nfkminfo, nfkmcheck, and other command-line utilities to assist in this process.

On 64-bit versions of Windows, both the 32-bit and 64-bit versions of the listed utilities are installed. When working on an 64-bit version of Windows, always ensure that you use the 64-bit version of the utility (if one is available).

nShield CNG CSP utilities:

cngimport
cnginstall
cnglist
ncsvcdep
configure-csp-poolmode
cngsoak

cngimport

x86 x64

x86	x64
`cngimport32.exe`	`cngimport.exe`

cngimport32.exe

cngimport.exe

This utility is used to migrate Security World, CAPI, and CNG keys to the Security World Key Storage Provider. For more information, see Migrate keys for CNG.

cnginstall

x86 x64

x86	x64
`cnginstall32.exe`	`cnginstall.exe`

cnginstall32.exe

cnginstall.exe

This utility is the nShield CNG CSP installer. Only use this utility to remove or reinstall the provider DLLs and associated registry entries manually.

To uninstall the nShield CNG DLL files, run the command:

cnginstall -U

This command removes the provider DLL files from your system. It produces output of the form:

ncksppt.dll removed.
nckspsw.dll removed.
ncpp.dll removed.

Before you uninstall the nShield CNG DLL files, ensure that you unregister the CNG CSP. For more information, see:

After unregistering the nShield CNG CSP, you can reregister it at any time as long as the files have not been uninstallted from your system. To reregister the nShield CNG CSP on your system, run the command:

cngregister

cnglist

x86 x64

x86	x64
`cnglist32.exe`	`cnglist.exe`

cnglist32.exe

cnglist.exe

This utility displays details of CNG providers, keys, and algorithms.

To list details of the CNG providers, run the cnglist command with the --list-providers option:

cnglist --list-providers

Output from this command is of the form:

Microsoft Primitive Provider
Microsoft Smart Card Key Storage Provider
Microsoft Software Key Storage Provider
Microsoft SSL Protocol Provider
nCipher Primitive Provider
nCipher Security World Key Storage Provider

To list details of the algorithms, run the cnglist command with the --list-algorithms option:

cnglist --list-algorithms

Output from this command has the form:

BCryptEnumAlgorithms(BCRYPT_CIPHER_OPERATION):
  Name                           Class      Flags
  AES                            0x00000001 0x0
  RC4                            0x00000001 0x0
  DES                            0x00000001 0x0
  DESX                           0x00000001 0x0
  3DES                           0x00000001 0x0
  3DES_112                       0x00000001 0x0
BCryptEnumAlgorithms(BCRYPT_HASH_OPERATION):
  Name                           Class      Flags
  SHA1                           0x00000002 0x0
  MD2                            0x00000002 0x0
  MD4                            0x00000002 0x0
  MD5                            0x00000002 0x0
  SHA256                         0x00000002 0x0
  SHA384                         0x00000002 0x0
  SHA512                         0x00000002 0x0
  AES-GMAC                       0x00000002 0x0
  SHA224                         0x00000002 0x0
BCryptEnumAlgorithms(BCRYPT_ASYMMETRIC_ENCRYPTION_OPERATION):
  Name                           Class      Flags
  RSA                            0x00000003 0x0

To list details of the algorithms for the Security World Key Storage Provider, run the cnglist command with the --list-algorithms, --keystorage, and --nc options:

cnglist --list-algorithms --keystorage --nc

Output from this command has the form:

NCryptEnumAlgorithms(NCRYPT_CIPHER_OPERATION) no supported algorithms
NCryptEnumAlgorithms(NCRYPT_HASH_OPERATION) no supported algorithms
NCryptEnumAlgorithms(NCRYPT_ASYMMETRIC_ENCRYPTION_OPERATION):
  Name                           Class      Operations Flags
  RSA                            0x00000003 0x00000014 0x0
NCryptEnumAlgorithms(NCRYPT_SECRET_AGREEMENT_OPERATION):
  Name                           Class      Operations Flags
  DH                             0x00000004 0x00000008 0x0
  ECDH_P224                      0x00000004 0x00000008 0x0
  ECDH_P256                      0x00000004 0x00000008 0x0
  ECDH_P384                      0x00000004 0x00000008 0x0
  ECDH_P521                      0x00000004 0x00000008 0x0
NCryptEnumAlgorithms(NCRYPT_SIGNATURE_OPERATION):
  Name                           Class      Operations Flags
  RSA                            0x00000003 0x00000014 0x0
  DSA                            0x00000005 0x00000010 0x0
  ECDSA_P224                     0x00000005 0x00000010 0x0
  ECDSA_P256                     0x00000005 0x00000010 0x0
  ECDSA_P384                     0x00000005 0x00000010 0x0
  ECDSA_P521                     0x00000005 0x00000010 0x0

To list details of the algorithms for a specific named key storage provider, run the cnglist command with the --list-algorithms and --provider="ProviderName" options:

cnglist --list-algorithms --provider="Microsoft Software Key Storage Provider"

Output from this command has the form:

Microsoft Software Key Storage Provider
NCryptEnumAlgorithms(NCRYPT_CIPHER_OPERATION) no supported algorithms
NCryptEnumAlgorithms(NCRYPT_HASH_OPERATION) no supported algorithms
NCryptEnumAlgorithms(NCRYPT_ASYMMETRIC_ENCRYPTION_OPERATION):
  Name                           Class      Operations Flags
  RSA                            0x00000003 0x00000014 0x0
NCryptEnumAlgorithms(NCRYPT_SECRET_AGREEMENT_OPERATION):
  Name                           Class      Operations Flags
  DH                             0x00000004 0x00000008 0x0
  ECDH_P256                      0x00000004 0x00000018 0x0
  ECDH_P384                      0x00000004 0x00000018 0x0
  ECDH_P521                      0x00000004 0x00000018 0x0
NCryptEnumAlgorithms(NCRYPT_SIGNATURE_OPERATION):
  Name                           Class      Operations Flags
  RSA                            0x00000003 0x00000014 0x0
  DSA                            0x00000005 0x00000010 0x0
  ECDSA_P256                     0x00000005 0x00000010 0x0
  ECDSA_P384                     0x00000005 0x00000010 0x0
  ECDSA_P521                     0x00000005 0x00000010 0x0

cngregister

x86 x64

x86	x64
`cngregister32.exe`	`cngregister.exe`

cngregister32.exe

cngregister.exe

This is the nShield CNG CSP registration utility. You can use it to unregister and re-register the nShield providers manually.

To unregister the nShield CNG CSP, run the command:

cngregister -U

This command produces output for the form:

Unregistered provider 'nCipher Primitive Provider'
Unregistered provider 'nCipher Security World Key Storage Provider'

This command unregisters the CNG CSP, but does not remove the provider DLL files from your system. For information about removing these files, see:

If any applications or services are using the nShield CNG CSP for key storage or cryptography, unregistering it can cause system instability.

After unregistering the nShield CNG CSP, you can reregister it at any time as long as the files have not been uninstalled from your system. To reregister the nShield CNG CSP on your system, run the command:

cngregister

You cannot use the cngregister command-line utility to configure the nShield CNG providers for use as defaults. We recommend that you always use the nShield CNG providers by selecting them directly with the application that is using CNG.

ncsvcdep

x86 x64

x86	x64
`ncsvcdep32.exe`	`ncsvcdep.exe`

ncsvcdep32.exe

ncsvcdep.exe

This utility is the service dependency tool. You can configure some service based applications, such as Microsoft Certificate Services and IIS, to use the nShield CNG CSP. The nShield Service dependency tool enables you to add the nFast Server to the dependency list of such services.

Use the ncsvcdep utility to ensure that the nShield nFast Server service is running before certain services are enabled. For example, Active Directory Certificate Services or Internet Information Services require that the hardserver is running in order to use the nShield CNG CSP. Failure to set this dependency can lead to system instability.

To list installed services, run the ncsvcdep command with the -l option:

ncsvcdep -l

Output from this command has the form:

Installed Services (Count - "Display Name" - "Service Name")
0 - "Application Experience" - "AeLookupSvc"
1 - "Application Layer Gateway Service" - "ALG"
2 - "Application Information" - "Appinfo"
3 - "Application Management" - "AppMgmt"
4 - "Windows Audio Endpoint Builder" - "AudioEndpointBuilder"
.
.
108 - "nFast Server" - "nFast Server"
109 - "Active Directory Certificate Services" - "CertSvc"

Always run ncsvcdep as a user with full administrative privileges.

To set a dependency, run the command:

ncsvcdep -a "DependentService"

In this command, DependentService is the service that has the dependency. The following example shows how to make the Active Directory Certificate Services dependent on the nFast Server:

ncsvcdep -a "CertSvc"
Dependency change succeeded.

To remove a specific dependency relationship, run ncsvcdep with the -r option, for example:

ncsvcdep -r "CertSvc"
Dependency change succeeded.

To remove all dependencies, run ncsvcdep with the -x option:

ncsvcdep -x

Microsoft Certificate Services require that the certsvc service is made dependent on the hardserver.

Microsoft Internet Information Services require that the http service is made dependent on the hardserver.

configure-csp-poolmode

x86 x64

x86	x64
`configure-csp-poolmode32.exe`	`configure-csp-poolmode.exe`

configure-csp-poolmode32.exe

configure-csp-poolmode.exe

This utility enables you to configure HSM Pool mode for the nShield CNG CSP without using the CNG wizard.

To enable HSM Pool mode for CNG run the command:

configure-csp-poolmode --cng --enable

To disable HSM Pool mode for CNG run the command:

configure-csp-poolmode --cng --disable

To remove HSM Pool mode setting for CNG from the registry, use the command:

configure-csp-poolmode --cng --remove

cngsoak

x86	x64
cngsoak32.exe	cngsoak.exe

x86

x64

cngsoak32.exe

cngsoak.exe

This utility provides statistics about the performance of the nShield CNG CSP. Specifically, use cngsoak to determine the speed of:

Signing a hash (cngsoak --sign)
encryption (cngsoak --encrypt)
key exchange (cngsoak --keyx)
key generation (cngsoak --generate).

The output from cngsoak displays information as columns of information. From left to right, these columns display:

The time in second that cngsoak has been running
the total number of operations completed
the number of operations completed in last second
the average number of operations completed each second.