·

pkcs11-tool (1) Linux Manual Page

ByLinux Manual Posted on

pkcs11-tool – utility for managing and using PKCS #11 security tokens

Read more:

Synopsis

pkcs11-tool [OPTIONS]

Description

The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it.

Options

–login, -l
Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line.

–pin pin, -p pin

Use the given pin for token operations. WARNING: Be careful using this option as other users may be able to read the command line from the system or if it is embedded in a script.

This option will also set the –login option.

–so-pin pin

Use the given pin as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc). The same warning as –pin also applies here.

–init-token

Initializes a token: set the token label as well as a Security Officer PIN (the label must be specified using –label).

–init-pin

Initializes the user PIN. This option differs from –change-pin in that it sets the user PIN for the first time. Once set, the user PIN can be changed using –change-pin.

–change-pin, -c

Change the user PIN on the token

–test, -t

Performs some tests on the token. This option is most useful when used with either –login or –pin.

–show-info, -I

Displays general token information.

–list-slots, -L

Displays a list of available slots on the token.

–list-mechanisms, -M

Displays a list of mechanisms supported by the token.

–list-objects, -O

Displays a list of objects.

–sign, s

Sign some data.

–hash, -h

Hash some data.

–mechanism mechanism, -m mechanism

Use the specified mechanism for token operations. See -M for a list of mechanisms supported by your token.

–keypairgen, -k

Generate a new key pair (public and private pair.)

–write-object id, -w id

Write a key or certificate object to the token.

–type type, -y type

Specify the type of object to operate on. Examples are cert, privkey and pubkey.

–id id, -d id

Specify the id of the object to operate on.

–label name, -a name

Specify the name of the object to operate on (or the token label when –init-token is used).

–slot id

Specify the id of the slot to use.

–slot-id name

Specify the name of the slot to use.

–set-id id, -e id

Set the CKA_ID of the object.

–attr-from path

Extract information from path (DER-encoded certificate file) and create the corresponding attributes when writing an object to the token. Example: the certificate subject name is used to create the CKA_SUBJECT attribute.

–input-file path, -i path

Specify the path to a file for input.

–output-file path, -o path

Specify the path to a file for output.

–module mod

Specify a PKCS#11 module (or library) to load.

–moz-cert path, -z path

Tests a Mozilla-like keypair generation and certificate request. Specify the path to the certificate file.

–verbose, -v

Causes pkcs11-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

See Also

opensc(7)

Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *