Introducing the X509Crypto Command Line Utility
The X509Crypto Command Line Utility (CLI) is a companion tool to be used in conjunction with the X509Crypto class library. It provides access to many of the core features of the class library without the need for you to write test programs to execute one-off tasks (such as encrypting a piece of text).
Visit GitHub to download the latest version of the X509Crypto CLI.
Modes of operation
Usage: X509Crypto.exe [COMMAND]
| Command | Description |
|---|---|
| Encrypt | Encrypts the specified plaintext expression or file |
| Decrypt | Decrypts the specified ciphtertext expression or file |
| ReEncrypt | Encrypts the specified ciphertext expression or file using a different encryption certificate |
| AddAlias | Creates a new X509Alias |
| UpdateAlias | Updates an X509Alias to use a different encryption certificate |
| RemoveAlias | Removes an X509Alias from the specified X509Context |
| ImportAlias | Imports an X509Alias from the specified file |
| ExportAlias | Exports the specified X509Alias to a file |
| DumpAlias | Lists the secret identiers (and values if desired) contained within the specified X509Alias |
| InstallCert | Installs an encryption certificate and associated key pair from a PKCS#12 (typically .pfx or .p12) file into the specified X509Context |
| MakeCert | Creates and installs a new, self-signed encryption certificate in the specified X509Context |
| ExportCert | Exports the specified certificate and key pair to a PKCS#12 file |
| List | Lists the X509Alias' and/or encryption certificates available in the specified context |
| Impersonate | Starts or stops executing subsequent X509Crypto commands as a different user account |
| Help | Displays this help message |
| Exit | Exits the X509Crypto program |
Encrypt Command
Encrypts the specified plaintext expression or file
Usage: X509Crypto.exe Encrypt [-text|-file]
Supported Modes:
Encrypt -text Mode
Encrypts the specified text expression
Usage: X509Crypto.exe Encrypt -text -alias [NAME] -context [user | system] -in [text] { -secret [IDENTIFIER] -out [PATH |clipboard | screen] }
| Parameter | Required? | Description |
|---|---|---|
| -alias | Required | The X509Alias to use for encryption |
| -context | Required | The X509Context where cryptographic operations occur |
| -in | Required | The text expression to be encrypted |
| -secret | Not Required | A unique identifier used to identify a ciphertext expression and recover the corresponding plaintext expression from the specified X509Alias |
| -out | Not Required | The path of the file to write the ciphertext. Use "clipboard" to write the output to the system clipboard instead |
Encrypt -file Mode
Encrypts the specified file (all file formats are supported)
Usage: X509Crypto.exe Encrypt -file -alias [NAME] -context [user | system] -in [PATH] { -out [PATH] -wipe [Times to write] -overwrite [Y | N] }
| Parameter | Required? | Description |
|---|---|---|
| -alias | Required | The X509Alias to use for encryption |
| -context | Required | The X509Context where cryptographic operations occur |
| -in | Required | The path of the file to be encrypted |
| -out | Not Required | The path of the file to write the ciphertext. If not defined, the input file path will be used, adding a ".ctx" extention |
| -wipe | Not Required | Removes residual data from disk after cryptographic operations have completed. The more times to write, the better the data destruction, but the performance impact will be higher |
| -overwrite | Not Required | Indicates whether the specified file should be overwritten if it already exists. |
Decrypt Command
Decrypts the specified ciphtertext expression or file
Usage: X509Crypto.exe Decrypt [-text|-file]
Supported Modes:
Decrypt -text Mode
Decrypts the specified ciphertext expression
Usage: X509Crypto.exe Decrypt -text -alias [NAME] -context [user | system] -out [PATH |clipboard | screen] { -secret [IDENTIFIER] -in [ciphertext] }
| Parameter | Required? | Description |
|---|---|---|
| -alias | Required | The X509Alias to use for decryption |
| -context | Required | The X509Context where cryptographic operations occur |
| -out | Required | The path of the file to write the plaintext. Use "clipboard" to write the output to the system clipboard instead |
| -secret | Not Required | A unique identifier used to identify a ciphertext expression and recover the corresponding plaintext expression from the specified X509Alias |
| -in | Not Required | The ciphertext expression to be decrypted |
Decrypt -file Mode
Decrypts the specified ciphertext file
Usage: X509Crypto.exe Decrypt -file -alias [NAME] -context [user | system] -in [PATH] { -out [PATH] -wipe [Times to write] -overwrite [Y | N] }
| Parameter | Required? | Description |
|---|---|---|
| -alias | Required | The X509Alias to use for decryption |
| -context | Required | The X509Context where cryptographic operations occur |
| -in | Required | The path to the ciphertext file to be decrypted |
| -out | Not Required | The path of the file to write the recovered plaintext file |
| -wipe | Not Required | Removes residual data from disk after cryptographic operations have completed. The more times to write, the better the data destruction, but the performance impact will be higher |
| -overwrite | Not Required | Indicates whether the specified file should be overwritten if it already exists. |
ReEncrypt Command
Encrypts the specified ciphertext expression or file using a different encryption certificate
Usage: X509Crypto.exe ReEncrypt [-text|-file]
Supported Modes:
ReEncrypt -text Mode
Re-encrypts the specified ciphertext expression using a different encryption certificate
Usage: X509Crypto.exe ReEncrypt -text -alias [NAME] -context [user | system] { -newalias [NAME] -newcontext [user | system] -secret [IDENTIFIER] -in [ciphertext] -out [PATH |clipboard | screen] }
| Parameter | Required? | Description |
|---|---|---|
| -alias | Required | Specifies the X509Alias currently used for encryption |
| -context | Required | The X509Context where the X509Alias currently exists |
| -newalias | Not Required | The X509Alias to be created (If not specified, the current alias will be used) |
| -newcontext | Not Required | The X509Context where the target X509Alias exists. If not specified, the selection for context will be used |
| -secret | Not Required | A unique identifier used to identify a ciphertext expression and recover the corresponding plaintext expression from the destination X509Alias |
| -in | Not Required | The ciphertext expression to be re-encrypted |
| -out | Not Required | The path of the file to write the ciphertext. Use "clipboard" to write the output to the system clipboard instead |
ReEncrypt -file Mode
Re-encrypts the specified ciphertext file using a different X509Alias
Usage: X509Crypto.exe ReEncrypt -file -alias [NAME] -context [user | system] -newalias [NAME] -in [PATH] { -newcontext [user | system] }
| Parameter | Required? | Description |
|---|---|---|
| -alias | Required | Specifies the X509Alias currently used for encryption |
| -context | Required | The X509Context where the X509Alias currently exists |
| -newalias | Required | The target X509Alias to be used for encryption going forward |
| -in | Required | The path of the ciphertext file to be re-encrypted |
| -newcontext | Not Required | The X509Context where the target X509Alias exists. If not specified, the selection for context will be used |
AddAlias Command
Adds a new X509Alias to the specified X509Context
Usage: X509Crypto.exe AddAlias -name [NAME] -context [user | system] -thumb [cert thumbprint]
| Parameter | Required? | Description |
|---|---|---|
| -name | Required | The desired name for the X509Alias to be created. Must be unique within the chosen X509Context |
| -context | Required | The X509Context where cryptographic operations occur |
| -thumb | Required | The thumbprint of the encryption certificate |
UpdateAlias Command
Updates an existing X509Alias with a new encryption certificate
Usage: X509Crypto.exe UpdateAlias -name [NAME] -context [user | system] -thumb [cert thumbprint] { -newcontext [user | system] }
| Parameter | Required? | Description |
|---|---|---|
| -name | Required | The name of the X509Alias to be updated |
| -context | Required | The X509Context where the X509Alias currently exists |
| -thumb | Required | The thumbprint of the encryption certificate |
| -newcontext | Not Required | The X509Context where the new X509Alias should be created. If not specified, the selection for context will be used |
RemoveAlias Command
Removes an X509Alias from the specified X509Context
Usage: X509Crypto.exe RemoveAlias -name [NAME] -context [user | system]
| Parameter | Required? | Description |
|---|---|---|
| -name | Required | The name of the X509Alias to be removed |
| -context | Required | The X509Context where cryptographic operations occur |
ImportAlias Command
Imports the X509Alias contained in the specified file
Usage: X509Crypto.exe ImportAlias -in [PATH] -context [user | system] { -name [NAME] -overwrite [Y | N] }
| Parameter | Required? | Description |
|---|---|---|
| -in | Required | The path to the file containing the X509Alias to be imported |
| -context | Required | The X509Context where cryptographic operations occur |
| -name | Not Required | The desired name for the X509Alias (if not specified, the alias indicated in the source file will be used) |
| -overwrite | Not Required | Indicates whether an existing X509Alias (having the same name as the imported alias) may be overwritten |
ExportAlias Command
Exports the specified X509Alias to a file. Encryption certificate and private key are not included
Usage: X509Crypto.exe ExportAlias -name [NAME] -context [user | system] -out [PATH] { -overwrite [Y | N] }
| Parameter | Required? | Description |
|---|---|---|
| -name | Required | The name of the X509Alias to be exported |
| -context | Required | The X509Context where cryptographic operations occur |
| -out | Required | The file path to write the exported X509Alias. |
| -overwrite | Not Required | Indicates whether the specified file should be overwritten if it already exists. |
DumpAlias Command
Generates a report of the secrets contained within an X509Alias
Usage: X509Crypto.exe DumpAlias -name [NAME] -context [user | system] -out [PATH |clipboard | screen] { -reveal [Y | N] }
| Parameter | Required? | Description |
|---|---|---|
| -name | Required | The name of the X509Alias from which to list existing secrets |
| -context | Required | The X509Context where cryptographic operations occur |
| -out | Required | The file path to write the X509Alias details. Use "clipboard" to write the output to the system clipboard instead |
| -reveal | Not Required | Indicates whether the values of the secrets contained within the X509Alias should be revealed in the command output |
InstallCert Command
Imports the specified encryption certificate and key pair into the specified X509Context
Usage: X509Crypto.exe InstallCert -in [PATH] -context [user | system] { -alias [NAME] }
| Parameter | Required? | Description |
|---|---|---|
| -in | Required | The path to the PKCS#12 (typically .pfx or .p12) file which contains the encryption certificate and associated private key to be installed |
| -context | Required | The X509Context where the specified encryption certificate should be installed |
| -alias | Not Required | The desired name for the X509Alias (if you wish to use this encryption certificate in an X509Alias) |
MakeCert Command
Generates a new, self-signed encryption certificate
Usage: X509Crypto.exe MakeCert -context [user | system] { -name [NAME] -keysize [size] -years [years] -alias [NAME] }
| Parameter | Required? | Description |
|---|---|---|
| -context | Required | The X509Context where cryptographic operations occur |
| -name | Not Required | Indicates the identity of the person or device this certificate will be issued to. If not indicated, the logged in username or the device name will be used |
| -keysize | Not Required | Indicates the length of the key pair which will be generated. The larger the key, the higher the security, but performance may be slower |
| -years | Not Required | Indicates the validity period of the encryption certificate. Once the certificate expires, it can no longer be used to encrypt new secrets. |
| -alias | Not Required | The desired name for the X509Alias (if you wish to use this encryption certificate in an X509Alias) |
ExportCert Command
Exports the specified certificate and key pair to a PKCS#12 file
Usage: X509Crypto.exe ExportCert -context [user | system] -out [PATH] { -alias [NAME] -thumb [cert thumbprint] }
| Parameter | Required? | Description |
|---|---|---|
| -context | Required | The X509Context where cryptographic operations occur |
| -out | Required | The path where the PKCS#12 certificate and key pair bundle file should be written |
| -alias | Not Required | The X509Alias from which to export the encryption certificate and key pair (cannot be used with thumb) |
| -thumb | Not Required | The thumbprint of the encryption certificate to export (cannot be used with alias) |
List Command
Usage: X509Crypto.exe List -context [user | system] -type [alias|cert] { -out [PATH |clipboard | screen] }
| Parameter | Required? | Description |
|---|---|---|
| -context | Required | The X509Context where cryptographic operations occur |
| -type | Required | Indicates whether to display a list of X509Aliases or available encryption certificates present in the specified X509Context |
| -out | Not Required | The file path to write the output. Use "clipboard" to write the output to the system clipboard instead |
Impersonate Command
Starts or ends the execution of subsequent X509Crypto commands as a different user account
Usage: X509Crypto.exe Impersonate { -user [USER ACCOUNT] -end }
| Parameter | Required? | Description |
|---|---|---|
| -user | Not Required | The domain user in which to impersonate (either "[USERNAME]" or "[DOMAIN][USERNAME]") |
| -end | Not Required | Ends an impersonation session (if impersonation is currently occurring) |
Help Command
Displays a help message
Usage: X509Crypto.exe Help
Exit Command
Terminates the X509Crypto program
Usage: X509Crypto.exe Exit