Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

/Add Switch

The /Add switch of the Enhanced Storage Certificate Management tool adds a certificate to the authentication silo certificate (ASC) store on a specified IEEE 1667-compliant USB storage device.

Note  In this topic, the specified IEEE 1667-compliant USB storage device is known as the target device.

    EhStorCertMgrCmd 
    /Add
     -Volume:
    VolumeName  -Type:CertificateType  -Validation:{None|Basic|Extended} [-Index:IndexValue] [[-Store:Certificate]|[-File:PathToFile]|
[-New:PathToIniFile]]

Subparameters

-Volume

The volume name of the target device. For more information about the format of this parameter, see Overview of the Enhanced Storage Certificate Management Tool.

Note  To produce a list of the volume names of the IEEE 1667-compliant USB storage devices currently connected to a computer, type EhStorCertMgrCmd /List at the command prompt and then press Enter.
-Type

The type of the certificate to be added to the ASC store in the target device. The following table defines the valid certificate types.

Type valueDescriptionIndex

ASCh

The authentication silo certificate (ASC) host certificate that is used to authenticate the certificate authentication silo to the host.

Any index greater than 1.

HCh

The host certificate (HCh) that is used to authenticate the host to the certificate authentication silo.

Any index greater than 1.

PCp

The provisioning certificate (PCp) that is used in administrative command sequences to provision and administer the certificate authentication silos.

1

SCh

The signer certificate (SCh) that is used to define a certificate that is trusted by the host. This trusted certificate is a chain of the ASCh certificate and zero or more SCh certificates.

Any index greater than 1.

 

-Validation

The type of certificate validation procedure that is performed by the addressable command target (ACT) in the target device. The following table defines the correct validation types.

Validation valueDescription

None

The certificate is not validated.

Basic

The certificate is validated through the Basic Validation Policy as defined within the IEEE 1667 standard.

Extended

The certificate is validated through the Extended Validation Policy as defined within the IEEE 1667 standard.

 

Note  If the -Validation: parameter is not specified, the tool uses a validation value of None.
-Index

The index within the ASC store where the certificate will be saved. If the specified index contains a certificate, that certificate will be replaced. The index value must be greater than zero.

-Store

The name of a certificate in a certificate store on the host. If the certificate is found in a certificate store, the tool adds it to the target device.

For more information, see Importing Certificates from a Windows Certificate Store.

-File

The path and name of a file that contains a certificate. If the certificate file is found, the tool adds it to the target device. This certificate could have been created through the MakeCert tool or imported through the /Export switch of the Enhanced Storage Certificate Management tool.

For more information, see Importing Certificates from a File.

-New

The path and name of a file that contains the specifications that are used to create a self-signed certificate. If the file is found and the specifications are valid, the tool creates the certificate, digitally signs it, and adds the certificate to the target device.

For more information, see Creating Certificates for USB Storage Devices.

Comments

The following guidelines apply when you add certificates to the target device:

  • The PCp certificate is used to perform administrative authentication between the host and the target device. If the target device does not have a PCp certificate, you must first provision the target device with a PCp certificate. For the PCp certificate type, the -Index switch must be specified with a value of one.

    Important  It is best to only provision the target device with a PCp certificate that has its private key stored in a certificate store on your computer. If an incorrect PCp certificate is provisioned on the target device, you will not be able to clear the certificate store (which includes the PCp certificate) by using the /Initialize switch.
  • If the -Index switch is not specified when you add HCh, ASCh, and SCh certificates, the tool stores the certificate in the first index within the ASC store that is not used.

    Note  In order to add these certificate types to the target device, the correct PCp certificate must reside in the host in order to pass administrative authentication with the device.
  • If the specified index is not empty in the target device, the /Add switch replaces the existing certificate with the specified certificate.

    Note  If the Enhanced Storage Certificate Management tool replaces an ASCh certificate at the specified index, the tool removes all related SCh in the ASCh certificate chain.

    If the tool replaces an SCh certificate at the specified index that is part of an ASCh certificate chain, the tool removes the SCh certificate together with all its parent SCh certificates in the certificate chain.

  • Only one of the -Store, -File or -New parameters must be specified.

Note   The Enhanced Storage Certificate Management tool cannot add, remove, or replace the ASC-manufacturer (ASCm) certificate from the ASC store in the target device.

Example

The following example shows how to add a certificate from the certificate store on the host to a target device:


EhStorCertMgrCmd /Add -Volume:"\\?\usbstor#ieee1667control&ven_&prod_&rev_#123456789&0&control#{4f40006f-b933-4550-b532-2b58cee614d3}" -Index:1 -Store:TestCert -Type:PCp -Validation:None

 

 

Send comments about this topic to Microsoft

Show:
© 2015 Microsoft