Skip to main content

Code Sign Client CLI reference

Synopsis

For setting up the PKCS11 client (supported on all platforms):

pkcs11config [command] [--options]

For setting up the CSP/KSP client on Windows:

cspconfig [command] [--options]

Configuration commands

CommandDescription
loginAuthenticates to a CyberArk Code Sign Manager server.
checkloginChecks the current authentication status.
logoutRevokes a grant.
trustManages trust for the CyberArk Code Sign Manager server.
seturlsDetects or sets URLs.
optionManages general configuration.
proxySets HTTP proxy options.
resetResets the client configuration.
updateChecks for and installs software updates.

Signing and verification commands

CommandDescription
listLists all objects available to the user.
signCreates a signature for a file.
verifyVerifies a file signature.

Common commands

CommandDescription
getcertificateRetrieves a certificate.
getpublickeyRetrieves the public key of a certificate.
traceManages trace settings for troubleshooting.
healthChecks client configuration health. No additional options.
versionDisplays the version number and build timestamp. No additional options.
helpDisplays general usage information. To get specific command help, run pkcs11config [command] -h.

Command options

login options

Authenticates to the CyberArk Code Sign Manager service.

If previously authenticated, then the existing authentication values will be verified and refreshed if needed, ignoring any other provided credentials, unless --force is used.

If URL arguments are specified, the given URLs will be configured and used to authenticate.

Running login without any options will invoke interactive mode.

API credential options:

OptionDescription
--token=<api-key>API key of the user authenticating.

Service account credential options:

OptionDescription
--clientid=<uuid>The UUID of the service account.
--keyfile=<file>Path to a file that contains the private key in PEM format. Used when authenticating a service account using Auto-generate a keypair and download the private key.
--generateGenerates a key pair for the service account. Used when authenticating a service account using Generate your own keypair and upload the public key.

URL options:

OptionDescription
--hostname=<url>API endpoint URL for your region. This option detects and automatically sets the URLs for authurl, hsmurl, and updateurl. For a list of regional endpoint URLs, see API Endpoints.
--authurl=<url>Authentication server URL. This option is set automatically when using --hostname.
--hsmurl=<url>VedHsm backend URL. This option is set automatically when using --hostname.
--updateurl=<url>Authentication server URL. This option is set automatically when using --hostname.

Proxy options:

OptionDescription
--proxymode=<mode>Enables or disables using a proxy server for communication (options: auto, disable, url).
--proxyurl=<url>URL of the proxy server to use (implies --proxymode:url).
--noproxy=<list>A list of hostnames that should not use the proxy.
--showShows current proxy settings.

Advanced options:

OptionDescription
--forceForces getting a new grant; never refreshes.

checklogin options

Verifies the currently stored authentication details with the CyberArk Code Sign Manager server and displays details.

Return code 0 indicates a grant has been configured.

Return code 1 indicates a missing or expired grant.

OptionDescription
--days=<count>Authentication is treated as invalid if it will expire within <count> days. This option is valid only for service account authentication.

logout options

Logs the user or service account out.

OptionDescription
--clearCompletely removes any stored configuration after logging out.
--forceForces logging out without confirmation.

trust options

Manages the certificate trust store. Trust is required to communicate with the CyberArk Code Sign Manager server.

OptionDescription
--checkChecks if the configured CyberArk Code Sign Manager is trusted.
--delete=<name>Removes trust for any certificate with a subject containing <name>.
--filename=<file>PEM certificate file to import certificates from.
--forceForces import without confirmation.
--hostname=<url>API endpoint URL for your region. This option detects and automatically sets the URLs for authurl, hsmurl, and updateurl. For a list of regional endpoint URLs, see API Endpoints.
--showShows existing certificates in the trust store.

seturls options

Detects or sets the URLs that should be used for authentication, signing, and client updates. These same options are available from the login command.

OptionDescription
--hostname=<url>API endpoint URL for your region. This option detects and automatically sets the URLs for authurl, hsmurl, and updateurl. For a list of regional endpoint URLs, see API Endpoints.
--authurl=<url>Authentication server URL. This option is set automatically when using --hostname.
--hsmurl=<url>VedHsm backend URL. This option is set automatically when using --hostname.
--updateurl=<url>Update server URL. This option is set automatically when using --hostname.

option options

Manages and displays configuration options.

OptionDescription
--clear=<name>Clears the value for <name>.
--showDisplays the value for <name> or all if no --name specified.
--name=<name>Name to set, show, or clear.
--value=<value>Value to set.

proxy options

Configures proxy settings to use when communicating with backend APIs. These same options are available from the login command.

OptionDescription
--proxymode=<mode>Enables or disables using a proxy server for communication (options: auto, disable, url).
--proxyurl=<url>URL of the proxy server to use (implies --proxymode:url).
--noproxy=<list>A list of hostnames that should not use the proxy.
--showShows current proxy settings.

reset options

Resets the client configuration.

OptionDescription
--allResets all configuration.
--currentResets only the current configuration (default).
--preservePreserves configured URLs.

update options

Checks for and displays available client software updates.

OptionDescription
--latestDownloads and installs the latest available version unless it is already installed.
--architecture=<arch>Overrides the detected architecture (options: x86_64, x86_32, arm64).
--type=<type>Overrides the detected package type (options: msi, rpm, deb, dmg).
--out=<file>Stores the package in the specified output directory and does not install it.
--updateurl=<url>Sets the client update server URL.

list options

Displays a list of all available objects. Defaults to listing certificates and public keys from all available environments.

Use list to find object labels.

OptionDescription
--env=<type-list>Shows only environments of the specified types (options: all, certificate, keypair).
--type=<type-list>Shows only objects of the specified types (options: all, private, public, certificate).
--sort=<column>Sorts by the specified column (options: label, environment, object, keytype, detail, context, keyid, handle).
--groupedGroups related objects.
--tableOutputs in table format.
--numberDisplays a number for each item when used with --table.
--reverseReverses the sort order.
--forceDoes not wait and reload if objects are pending creation.

sign options

Creates a signature for a file using the CyberArk Code Sign Manager server directly.

📘 Note This command hashes the specified file, signs the hash, and stores the raw resulting signature. The format of the signature is intended to test key access only and is not compatible with most other tools.

OptionDescription
--filename=<file>File to sign.
--output=<file>Filename to store the signature in.
--label=<label>Label of the key to use for signing.
--forceOverwrites the output file if it already exists.
--hashalgHash algorithm to use for post-quantum (default: SHA2_256) (options: SHA2_256, SHA2_384, SHA2_512, SHA3_256, SHA3_384, SHA3_512, SHAKE_128, SHAKE_256, PURE).

verify options

Verifies a signature created by the sign command.

📘 Note This command cannot verify a signature created with external tools.

OptionDescription
--filename=<file>File to verify.
--input=<file>File that holds the signature.
--label=<label>Label of the key to use for verification.
--hashalgHash algorithm to use for post quantum (default: SHA2_256) (options: SHA2_256, SHA2_384, SHA2_512, SHA3_256, SHA3_384, SHA3_512, SHAKE_128, SHAKE_256, PURE).

getcertificate options

Retrieves a certificate and/or certificate chain.

OptionDescription
--filename=<file>Output file for the certificate.
--chainfile=<file>Output file for the certificate chain (not available with --format:DER).
--format=<format>Output file format (default: PEM) (options: PEM, DER).
--label=<label>Label of the certificate to retrieve.
--rootfirstWrites the chain in root→intermediate order (default is intermediate→root).
--splitSplits the chain file so each certificate is written to a separate file.
--forceOverwrites output files if they already exist.

getpublickey options

Retrieves a public key.

OptionDescription
--filename=<file>Output file for the public key.
--format=<format>Output file format (default: PEM) (options: PEM, DER).
--label=<label>Label of the public key to retrieve.
--forceOverwrites output files if they already exist.

trace options

Manages settings for diagnostics and troubleshooting.

OptionDescription
--consoleEnables or disables tracing for console output.
--logEnables or disables tracing for the trace log.
--disableDisables console or file tracing.
--enableEnables console or file tracing.
--filename=<file>Sets the trace log file path and filename prefix.
--output=<stderr|stdout>Sets the console output target.
--showDisplays existing trace settings.
--module=<file>Sets the location of the PKCS#11 library.
--pkcs11=<file>Sets the PKCS#11 API trace file path and filename prefix.