Skip to content

PKCS#11 Tracer getting started guide🔗

This guide explains how to use the SandboxAQ PKCS#11 Tracer to obtain a cryptography trace from a PKCS#11 application.


Before using the PKCS#11 Tracer, make sure you’ve followed the installation instructions.

You’ll also need a PKCS#11 application that you can run in a terminal.

Tracing the application🔗

To trace an application:

First, configure the application to use the PKCS#11 Tracer DLL ( instead of its original DLL.

Next, configure the PKCS#11 Tracer to redirect PKCS#11 calls to the original DLL with the CS_DLL_TARGET environment variable:

export CS_DLL_TARGET=/path/to/real/dll

Navigate to a directory where you have write permissions and configure it to receive the generated traces:

export CS_OUTPUT_DIR=/path/to/trace/output/directory

Lastly, run the application from the command line:


When your application has finished executing, the directory you chose earlier will contain the generated trace and log file(s):

├── trace_2022-06-08-15-32-30-693-17920.cst.gz
└── log_2022-06-08-15-32-30-693-17920.log


If the traced application is terminated abruptly, the resulting gzip file may be missing a trailer and appear to be corrupted. However, AQtive Guard should still be able to analyze the contents of the trace.

Upload the trace to AQtive Guard to run an analysis and generate a report. Refer to these instructions:

Refer to Configuration in the PKCS#11 Tracer reference for a list of available parameters.