CLI Commands¶
Use this page to view the command options in one place.
Command map¶
| Command | Purpose | Typical next step |
|---|---|---|
paccor certgen |
Build or update a to-be-signed envelope from JSON inputs and certificate context. | Run paccor assemble |
paccor assemble |
Turn an envelope into a signed certificate or stub. | Run paccor validate or paccor view |
paccor validate |
Check signature, profile structure, and component matching. | Use in CI or manufacturing checks |
paccor view |
Print a compact human-readable summary of a certificate. | Use during debugging or review |
Global options¶
These options are accepted by the root command and the subcommands:
| Option | Meaning |
|---|---|
--log-level |
Logging verbosity. DEBUG and TRACE also enable extra validation detail in validate. |
--log-file |
Write logs to a file. |
-q, --quiet |
Suppress normal output. |
-h, --help |
Show command help. |
-V, --version |
Print the version. |
paccor certgen¶
Builds a JSON envelope that contains:
- the certificate kind and specification version
- the finalized TBS bytes when enough input is available
- the signature
AlgorithmIdentifier - a serialized
PlatformCertificateInformationModel
Typical usage:
bin/paccor certgen \
--issuer-cert TestCA.cert.example.pem \
--holder-cert TCG_EK_ecc_p384_P-384_Test.pem \
--attributes-json localhost-policyreference-v2.json \
--components-json componentswithtraits.json \
--extensions-json extentions.json \
--sig-profile rsa-sha256 \
--finalize \
--out example-envelope.json
Notes:
certgenis the command that chooses the signing algorithm OID placed in the envelope.- If you omit
--sig-profile, paccor tries to infer the algorithm from the issuer certificate and otherwise falls back to an RSA default. - Use Signing Algorithms when you need the accepted
--sig-profilevalues.
paccor assemble¶
Consumes an envelope and produces the signed certificate. You must choose exactly one signing mode:
- local private key with
--local-key - PKCS#11 token with
--pkcs11-module - remote signer with
--remote-url - detached signature with
--signature
Typical usage:
bin/paccor assemble \
--in example-envelope.json \
--out example-cert.pem \
--pem \
--local-key TestCA.private.example.pem \
--issuer-cert TestCA.cert.example.pem
Notes:
assembleverifies the signature before writing the certificate. If the signature and issuer certificate do not match, the command fails.- If the envelope does not yet contain final TBS data or an algorithm identifier,
assemblecan still write a stub instead of a final credential. - Use Signing Modes for compact PKCS#11, remote, detached, and local examples.
paccor validate¶
Validates a certificate against three buckets of checks:
- signature verification
- certificate profile/specification checks
- component matching against expected JSON
Typical usage:
bin/paccor validate \
--x509v2AttrCert example-cert.pem \
--issuer-cert TestCA.cert.example.pem \
--components-json componentswithtraits.json
Notes:
- Skipping component or signature validation is intentional and still results in a non-zero exit code.
- Use
--component-matcher RAWonly when you specifically need strict raw comparison rather than normalized matching.
paccor view¶
Prints a compact summary of the certificate contents without validating against external inputs.
Typical usage:
The output includes the certificate kind, certificate type, resolved spec version, holder or subject, issuer, serial, platform specification, platform facts, component count, and counts for previous certificates and cryptographic anchors.
Generated Help¶
These blocks are generated from the Picocli command definitions so the raw help text stays tied to the code.
paccor¶
Usage: paccor [-hqV] [--log-file=<logFile>] [--log-level=<logLevel>] [COMMAND]
Platform Certificate Creator CLI
-h, --help Show this help message and exit.
--log-file=<logFile>
--log-level=<logLevel>
-q, --quiet
-V, --version Print version information and exit.
Commands:
certgen Generate Platform Certificate data
assemble Assemble the Platform Certificate
validate Validate signature, and optionally components and certificate
profile
view Display a summary of a platform certificate
paccor certgen¶
Usage: paccor certgen [-hqV] [--finalize] [--overwrite-in-place]
[-a=<notAfter>] [-b=<notBefore>] [-c=<componentsJson>]
[-e=<holderCert>] -f=<outJson> [--in=<inJson>]
[--in-platform-model=<platformInfoJson>]
[--kind=<certKind>] [--log-file=<logFile>]
[--log-level=<logLevel>] [-N=<serial>] [-p=<attrsJson>]
[-P=<issuerCert>] [--sig-profile=<sigProfile>]
[--type=<certType>] [-x=<extJson>]
Generate Platform Certificate data
-a, --not-after=<notAfter> yyyyMMdd
-b, --not-before=<notBefore>
yyyyMMdd
-c, --components-json=<componentsJson>
Hardware manifest components JSON file
-e, --holder-cert=<holderCert>
Holder/Subject certificate file
-f, --out=<outJson> Model data and context in JSON. Can be given to
the assemble command
--finalize Validate model data and context prior to output
-h, --help Show this help message and exit.
--in=<inJson> Existing to-be-signed data to merge from JSON
--in-platform-model=<platformInfoJson>
Existing model data from JSON
--kind, --cert-kind=<certKind>
Certificate output kind (AC, PKC)
--log-file=<logFile>
--log-level=<logLevel>
-N, --serial=<serial> Certificate serial number
--overwrite-in-place Allow in-place overwrite when --in equals --out.
-p, --attributes-json=<attrsJson>
Attributes JSON file
-P, --issuer-cert=<issuerCert>
Issuer certificate file
-q, --quiet
--sig-profile=<sigProfile>
Signature profile ID
--type, --cert-type=<certType>
Platform certificate type (base, delta, rebase)
-V, --version Print version information and exit.
-x, --extensions-json=<extJson>
Extensions JSON file
paccor assemble¶
Usage: paccor assemble [-hqV] [--pem] -f=<outFile> -i=<inJson> [-k=<localKey>]
[--local-key-password=<localKeyPassword>]
[--local-key-password-file=<localKeyPasswordFile>]
[--log-file=<logFile>] [--log-level=<logLevel>]
[-P=<issuerCert>] [--pkcs11-key-alias=<pkcs11KeyAlias>]
[--pkcs11-key-id=<pkcs11KeyIdHex>]
[--pkcs11-module=<pkcs11Module>]
[--pkcs11-pin=<pkcs11Pin>]
[--pkcs11-pin-file=<pkcs11PinFile>]
[--pkcs11-slot=<pkcs11Slot>]
[--pkcs11-token-label=<pkcs11TokenLabel>]
[--remote-auth=<remoteAuth>]
[--remote-timeout=<remoteTimeoutMs>]
[--remote-url=<remoteUrl>]
[--sig-encoding=<sigEncoding>]
[--signature=<signatureB64>]
Assemble the Platform Certificate
-f, --out=<outFile>
-h, --help Show this help message and exit.
-i, --in, --tbs=<inJson> Input to-be-signed data from JSON
-k, --local-key=<localKey> Sign locally with a private key file (PKCS#8,
PKCS#1, or PKCS#12)
--local-key-password=<localKeyPassword>
Password for a PKCS#12 local key
--local-key-password-file=<localKeyPasswordFile>
File containing the password for a PKCS#12 local
key
--log-file=<logFile>
--log-level=<logLevel>
-P, --issuer-cert=<issuerCert>
Certificate containing the public key that signs
the input. Required for all signing modes
(detached, local, pkcs11, remote).
--pem PEM output
--pkcs11-key-alias=<pkcs11KeyAlias>
Alias/label of private key on token
--pkcs11-key-id=<pkcs11KeyIdHex>
Hex ID of private key on token
--pkcs11-module=<pkcs11Module>
Path to PKCS#11 module (.so/.dll)
--pkcs11-pin=<pkcs11Pin>
PIN for the PKCS#11 token (alternatively use
PKCS11_PIN env var)
--pkcs11-pin-file=<pkcs11PinFile>
File containing PIN for the PKCS#11 token
--pkcs11-slot=<pkcs11Slot>
PKCS#11 slot list index (0 = first token)
--pkcs11-token-label=<pkcs11TokenLabel>
PKCS#11 token label
-q, --quiet
--remote-auth=<remoteAuth>
Remote signer auth descriptor, e.g., bearer:
<token> or header:Name=Value
--remote-timeout=<remoteTimeoutMs>
Remote signer timeout ms
--remote-url=<remoteUrl>
Remote signer URL
--sig-encoding=<sigEncoding>
DER, P1363 (default: der)
--signature=<signatureB64>
Detached signature (Base64)
-V, --version Print version information and exit.
paccor validate¶
Usage: paccor validate [-hqV] [-c=<componentsJson>]
[--component-matcher=<componentMatcherName>]
[--log-file=<logFile>] [--log-level=<logLevel>]
[-P=<signerFile>] -X=<platformCertFile>
[--prev-pcert=<prevPcerts>]...
Validate signature, and optionally components and certificate profile
-c, --components-json=<componentsJson>
Components JSON to verify against AC components
--component-matcher=<componentMatcherName>
Component matcher: NORMALIZED (default) or RAW
-h, --help Show this help message and exit.
--log-file=<logFile>
--log-level=<logLevel>
-P, --issuer-cert, --publicKeyCert=<signerFile>
Signer certificate file
--prev-pcert=<prevPcerts>
Previous platform certificate file(s). Repeatable.
Globs allowed.
-q, --quiet
-V, --version Print version information and exit.
-X, --x509v2AttrCert, --pkcPlatformCert=<platformCertFile>
Platform certificate file
paccor view¶
Usage: paccor view [-hqV] [--log-file=<logFile>] [--log-level=<logLevel>]
-X=<platformCertFile>
Display a summary of a platform certificate
-h, --help Show this help message and exit.
--log-file=<logFile>
--log-level=<logLevel>
-q, --quiet
-V, --version Print version information and exit.
-X, --certificate, --x509v2AttrCert, --pkcPlatformCert=<platformCertFile>
Platform certificate file