.TH p11tool 1 "November 11th 2010" .SH NAME p11tool \- Manipulate PKCS #11 tokens. .SH SYNOPSIS p11tool [\fIoptions\fR] .SH DESCRIPTION Export/import data from PKCS #11 tokens. To use PKCS #11 tokens with gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form "load=/usr/lib/opensc-pkcs11.so". .SH OPTIONS .SS Program control options .IP "\-d, \-\-debug LEVEL" Specify the debug level. Default is 1. .IP "\-h, \-\-help" Shows this help text .SS Generic options .IP "\-\-login" Force login to the token for the intended operation. .IP "\-\-provider MODULE" In addition to /etc/gnutls/pkcs11.conf, load the specified module. .IP "\-\-outfile FILE" Print output to FILE. .IP "\-\-inder, \-\-inraw" Input is DER formatted. .SS Getting information on available X.509 certificates .IP "\-\-list\-tokens" Prints all available tokens. .IP "\-\-initialize URL" Initializes (formats) the specified by the URL token. Note that several tokens do not support this fascility. .SS Getting information on available X.509 certificates .IP "\-\-list\-all\-certs" Prints all available certificates. .IP "\-\-list\-certs" Prints all certificates that have a corresponding private key stored in the token. .IP "\-\-list\-trusted" Prints all certificates that have been marked as trusted. .SS Getting information on private keys .IP "\-\-list\-privkeys" Prints all available private keys. .SS Handling generic objects .IP "\-\-export URL" Exports the object (e.g. certificate) specified by the URL. .IP "\-\-delete URL" Deletes the object specified by the URL. Note that several tokens do not support deletion. .IP "\-\-detailed\-url" When printing URLs print them in a detailed (to the PKCS #11 module used) form. .IP "\-\-no\-detailed\-url" When printing URLs, do not print details on the module used. .SS Storing objects .IP "\-\-write URL" Flag to set when writing an object. Requires one of \-\-load\-privkey, \-\-load\-pubkey, \-\-load\-certificate or \-\-secret\-key options. .IP "\-\-load\-privkey" Load a private key for the write operations. .IP "\-\-load\-pubkey" Load an X.509 subjectPublicKey for the write operation. .IP "\-\-load\-certificate" Load an X.509 certificate for the write operation. .IP "\-\-secret\-key" Specify a hex encoded secret key for the write operation. .IP "\-\-trusted" The object stored will be marked as trusted. .IP "\-\-label" The label of the object stored. .SS Controlling output .IP "\-8, \-\-pkcs8" Use PKCS #8 format for private keys. .SH EXAMPLES To store a private key and certificate, run: .RS .nf $ p11tool \-\-login \-\-write "pkcs11:XXX" \-\-load\-privkey key.pem \-\-label "MyKey" $ p11tool \-\-login \-\-write "pkcs11:XXX" \-\-load\-certificate cert.pem \-\-label "MyCert" .fi .RE To view all objects in a token, use: .RS .nf $ p11tool \-\-login \-\-list\-all .fi .RE .SH AUTHOR .PP Nikos Mavrogiannopoulos and others; see /usr/share/doc/gnutls\-bin/AUTHORS for a complete list.