pkcs11-tool (1) - Linux Manuals

pkcs11-tool: utility for managing and using PKCS #11 security tokens

Command to display pkcs11-tool manual in Linux: $ man 1 pkcs11-tool

NAME

pkcs11-tool - utility for managing and using PKCS #11 security tokens

SYNOPSIS

pkcs11-tool [OPTIONS]

DESCRIPTION

The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it.

OPTIONS

--login, -l

: Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line.

--pin pin, -p pin

: Use the given pin for token operations. WARNING: Be careful using this option as other users may be able to read the command line from the system or if it is embedded in a script.
This option will also set the --login option.

--so-pin pin

: Use the given pin as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc). The same warning as --pin also applies here.

--init-token

: Initializes a token: set the token label as well as a Security Officer PIN (the label must be specified using --label).

--init-pin

: Initializes the user PIN. This option differs from --change-pin in that it sets the user PIN for the first time. Once set, the user PIN can be changed using --change-pin.

--change-pin, -c

: Change the user PIN on the token

--test, -t

: Performs some tests on the token. This option is most useful when used with either --login or --pin.

--show-info, -I

: Displays general token information.

--list-slots, -L

: Displays a list of available slots on the token.

--list-mechanisms, -M

: Displays a list of mechanisms supported by the token.

--list-objects, -O

: Displays a list of objects.

--sign, s

: Sign some data.

--hash, -h

: Hash some data.

--mechanism mechanism, -m mechanism

: Use the specified mechanism for token operations. See -M for a list of mechanisms supported by your token.

--keypairgen, -k

: Generate a new key pair (public and private pair.)

--write-object id, -w id

: Write a key or certificate object to the token.

--type type, -y type

: Specify the type of object to operate on. Examples are cert, privkey and pubkey.

--id id, -d id

: Specify the id of the object to operate on.

--label name, -a name

: Specify the name of the object to operate on (or the token label when --init-token is used).

--slot id

: Specify the id of the slot to use.

--slot-id name

: Specify the name of the slot to use.

--set-id id, -e id

: Set the CKA_ID of the object.

--attr-from path

: Extract information from path (DER-encoded certificate file) and create the corresponding attributes when writing an object to the token. Example: the certificate subject name is used to create the CKA_SUBJECT attribute.

--input-file path, -i path

: Specify the path to a file for input.

--output-file path, -o path

: Specify the path to a file for output.

--module mod

: Specify a PKCS#11 module (or library) to load.

--moz-cert path, -z path

: Tests a Mozilla-like keypair generation and certificate request. Specify the path to the certificate file.

--verbose, -v

: Causes pkcs11-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.