/Replace Switch
The /Replace switch of the Enhanced Storage Certificate Management tool replaces a specified certificate from the authentication silo certificate (ASC) store in an IEEE 1667-compliant USB storage device.
Note In this topic, the specified IEEE 1667-compliant USB storage device is referred to as the target device.
EhStorCertMgrCmd
/Replace
-Volume:
VolumeName -Type:CertificateType [-Validation:{None|Basic|Extended}] [-Index:IndexValue] [[-Store:Certificate]|[-File:PathToFile]|[-New:PathToIniFile]]
Subparameters
-Volume
The volume name of the target device. For more information about the format of this parameter, see Overview of the Enhanced Storage Certificate Management Tool.
Note To produce a list of the volume names of the IEEE 1667-compliant USB storage devices that are currently connected to a computer, type EhStorCertMgrCmd /List at the command prompt and then press Enter.
-Type
The type of the certificate to be added to the ASC store in the target device. The following table defines the valid certificate types.
| Type value | Description | Index |
|---|---|---|
ASCh |
The authentication silo certificate (ASC) host certificate that is used to authenticate the certificate authentication silo to the host. |
Any index greater than 1. |
HCh |
The host certificate that is used to authenticate the host to the certificate authentication silo. |
Any index greater than 1. |
SCh |
The signer certificate that is used to define a certificate that is trusted by the host. This trusted certificate is a chain of the ASCh certificate and zero or more SCh certificates. |
Any index greater than 1. |
-Validation
The type of certificate validation procedure that is performed by the addressable command target (ACT) in the target device. The following table defines the correct validation types.
| Validation value | Description |
|---|---|
None |
The certificate is not validated. |
Basic |
The certificate is validated by using the Basic Validation Policy as defined within the IEEE 1667 standard. |
Extended |
The certificate is validated by using the Extended Validation Policy as defined within the IEEE 1667 standard. |
Note If the -Validation: parameter is not specified, the tool uses a validation value of None.
-Index
The index within the ASC store where the certificate will be replaced. The index value must be greater than one.
Note A certificate must exist at the specified index in the target device.
-Store
The name of a certificate in a certificate store on the host. If the certificate is found in a certificate store, the tool adds it to the target device.
For more information, see Importing Certificates from a Windows Certificate Store.
-File
The path and name of a file that contains a certificate. If the certificate file is found, the tool adds it to the target device. This certificate could have been created by using the MakeCert tool or imported by using the /Export switch of the Enhanced Storage Certificate Management tool.
For more information, see Importing Certificates from a File.
-New
The path and name of a file that contains the specifications that are used to create a self-signed certificate. If the file is found and the specifications are valid, the tool creates the certificate, digitally signs it, and adds the certificate to the target device.
For more information, see Creating Certificates for USB Storage Devices.
Comments
The /Replace switch is used to replace any certificate from the target device except for following certificates:
The provisioning certificate (PCp). To replace the PCp certificate, you must use the /Initialize switch.
The ASC-manufacturer certificate (ASCm).
Note The Enhanced Storage Certificate Management tool cannot add, remove, or replace the ASCm certificate from the ASC store in the target device. To replace certificates in the target device, the device must have been provisioned with a PCp certificate, and the private key of that certificate must reside in the host so that it can pass administrative authentication with the device.
If you replace an ASCh certificate, the tool removes all related SCh in the ASCh certificate chain.
If you replace an SCh certificate from an ASCh certificate chain, the tool removes the specified SCh certificate together with all its parent SCh certificates in the certificate chain.
Only one of the -Store, -File or -New parameters must be specified.
Example
The following example shows how to replace the certificate at index two within the ASC store of an IEEE 1667-compliant USB storage device.
EhStorCertMgrCmd /Replace -Volume:"\\?\usbstor#ieee1667control&ven_&prod_&rev_#123456789&0&control#{4f40006f-b933-4550-b532-2b58cee614d3}" -Index:2 -Store:TestCert -Type:SCh -Validation:None
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for