tlsconfig

Syntax

tlsconfig [-sfo]

tlsconfig [-f file] [-sfo]

tlsconfig -r [-q]

tlsconfig -e [-f file]

tlsconfig -d [-i index][-q]

tlsconfig -x [-i index][-f file][-t DER | PEM] [-sfo]

tlsconfig -k [none | peer] [-o hostname | none]

tlsconfig -c [list | cipher-list]

tlsconfig -v [auto | 1.0 | 1.1 | 1.2]

Description

Displays and modifies the Secure Boot databases, keys, and security reports. Displays and modifies TLS connection settings and certificates.

Options

-sfo
Displays information in standard format output.
-f file
Displays X509 information from a PEM or DER-formatted file.
-r
Resets the TLS configuration to platform defaults and deletes the certificate.
-q
Suppresses the confirmation prompt.
-e
Enrolls a X509 file into the TLS certificates database.
-d
Deletes a TLS certificate.
-i
Selects a TLS certificate.
-x
Exports a TLS certificate.
-t
Specifies the file format of exported certificate.
-k
When none is specified, certificate validation for every TLS connection is disabled. When peer is specified, certificate validation for every TLS connection is enabled.
-o
When none is specified, host name checking for certificate validation on every TLS connection is disabled. When hostname is specified, host name checking for certificate validation on every TLS connection is enabled.
-c
Specifies or shows which ciphers are allowed for TLS connections.
-v
Specifies which TLS protocol version to use. The auto setting negotiates the highest version supported by both TLS server and the client.

Usage

This command affects pre-boot features that use HTTPS functionality, such as HTTPS boot, and UEFI Shell commands, such as webclient.

Examples

To display all TLS settings and the certificates: 

Shell> tlsconfig

To display detailed information from a X509 file: 

Shell> tlsconfig -f abc.der

To display detailed information from a X509 file located on an http server: 

Shell> tlsconfig -f http://www.example.com/CERT/abc.der

To enroll a X509 file in the TLS certificate database from a file: 

Shell> tlsconfig -e -f abc.der

To enroll in the TLS certificate database from a file on network: 

Shell> tlsconfig -e -f http://www.example.com/CERT/abc.der

To delete the first TLS certificate without a confirmation prompt: 

Shell> tlsconfig -d -i 1 -q

To display the TLS certificates in PEM format: 

Shell> tlsconfig -x

To export the third TLS certificate in DER format to a file named abc.crt: 

Shell> tlsconfig -x -i 3 -f abc.crt -t DER

To export the third TLS certificate in DER format to a file abc.crt: 

Shell> tlsconfig -x -i 3 -f http://www.example.com/CERT/abc.crt -t DER

To specify TLS cipher algorithms: 

Shell> tlsconfig -c AES128-SHA256:AES256-SHA256

To show TLS supported ciphers: 

Shell> tlsconfig -c list

To enable certificate validation on a TLS connection: 

Shell> tlsconfig -k PEER -o HOSTNAME

To specify that TLS v1.2 protocol version is used: 

Shell> tlsconfig -v 1.2