# /opt/sap/libcrypto/sapgenpse -h

SAPGENPSE tool for creation and management of PSE-files and SSO-credentials

Usage: sapgenpse [-fips on/off] [-h] [-l <sapcryptoPath>] <command> [-h]
[sub-options] ...

-l <sapcryptoPath>    Path of CommonCryptoLib (libsapcrypto.so) to be used
-h                    Show help text
-fips on/off          Activate FIPS 140-2 mode
<command>             Command to execute
<command> -h          Show help text of named command

All commands that create PSEs or Credentials support the option -lps.
(These commands are gen_pse, import_p12, import_p8, keytab, seclogin)
The -lps option enables the usage of the Local Protection Storage (LPS) to
protect the sensitive information stored in PSEs and Credentials.
An LPS protected PSE or credential could only be used on the same system
where it has been created.
The LPS uses one of the following mechanisms to protect the data:
- (DP ) The Microsoft Data Protection API, on Windows only
- (TPM) Trusted Platform Module (TPM), on Linux systems with an installed TPM
- (INT) Internal protection mechanisms, on all other systems

It is strongly recommended to use LPS to protect all PSEs and Credentials.
The command lps_enable can be used to enable LPS on existing PSEs.
The command seclogin can be used to enable LPS on existing credentials.


<command> must be one of:
gen_pse           create new PSE and/or PKCS#10 certification request
(same as "get_pse")
gen_verify_pse    generate a verify PSE
import_own_cert   import CA response to PKCS#10 certification request
seclogin          create/add/delete SSO-credentials for a PSE ("cred_v2")
or change PIN/Passphrase of a PSE
get_my_name       show attributes of the user certificate/keytab in a PSE
maintain_pk       show/add/delete trusted keys/certs in PKList of PSE
export_own_cert   export the user certificate of a PSE
import_p12        import a PKCS#12 digital ID transport file
export_p12        export a PKCS#12 digital ID transport file
pseconv           convert between PSE format v2 and v4
import_p8         create new PSE from PKCS#8 private key plus certs
export_p8         export a PKCS#8 private key file
keytab            manage keyTab in PSE
cryptinfo         show properties of SAP CommonCryptoLib Crypto Kernel
lps_import        import a PSE (add LPS protection)
lps_export        export a PSE (remove LPS protection)
lps_enable        enables LPS protection of a PSE (in-place)
lps_disable       disables LPS protection of a PSE (in-place)
lps_show          show LPS protection state of a PSE
show              show file content and other information
tlsinfo           show TLS cipersuites for a given alias string
sncinfo           show SNC cipersuites for a given alias string
hsminfo           check HSM access
get_crl           get revocation list

passing "-h" after a <command> will show further help information