'\" t .\" Title: pkcs11-tool .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 .\" Date: 06/03/2012 .\" Manual: OpenSC tools .\" Source: opensc .\" Language: English .\" .TH "PKCS11\-TOOL" "1" "06/03/2012" "opensc" "OpenSC tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" pkcs11-tool \- utility for managing and using PKCS #11 security tokens .SH "SYNOPSIS" .PP \fBpkcs11\-tool\fR [OPTIONS] .SH "DESCRIPTION" .PP The \fBpkcs11\-tool\fR utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens\&. Users can list and read PINs, keys and certificates stored on the token\&. User PIN authentication is performed for those operations that require it\&. .SH "OPTIONS" .PP .PP \fB\-\-login, \-l\fR .RS 4 Authenticate to the token before performing other operations\&. This option is not needed if a PIN is provided on the command line\&. .RE .PP \fB\-\-pin\fR \fIpin\fR, \fB\-p\fR \fIpin\fR .RS 4 Use the given \fIpin\fR for token operations\&. WARNING: Be careful using this option as other users may be able to read the command line from the system or if it is embedded in a script\&. .sp This option will also set the \fB\-\-login\fR option\&. .RE .PP \fB\-\-so\-pin\fR \fIpin\fR .RS 4 Use the given \fIpin\fR as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc)\&. The same warning as \fB\-\-pin\fR also applies here\&. .RE .PP \fB\-\-init\-token\fR .RS 4 Initializes a token: set the token label as well as a Security Officer PIN (the label must be specified using \fB\-\-label\fR)\&. .RE .PP \fB\-\-init\-pin\fR .RS 4 Initializes the user PIN\&. This option differs from \-\-change\-pin in that it sets the user PIN for the first time\&. Once set, the user PIN can be changed using \fB\-\-change\-pin\fR\&. .RE .PP \fB\-\-change\-pin, \-c\fR .RS 4 Change the user PIN on the token .RE .PP \fB\-\-test, \-t\fR .RS 4 Performs some tests on the token\&. This option is most useful when used with either \fB\-\-login\fR or \fB\-\-pin\fR\&. .RE .PP \fB\-\-show\-info, \-I\fR .RS 4 Displays general token information\&. .RE .PP \fB\-\-list\-slots, \-L\fR .RS 4 Displays a list of available slots on the token\&. .RE .PP \fB\-\-list\-mechanisms, \-M\fR .RS 4 Displays a list of mechanisms supported by the token\&. .RE .PP \fB\-\-list\-objects, \-O\fR .RS 4 Displays a list of objects\&. .RE .PP \fB\-\-sign, s\fR .RS 4 Sign some data\&. .RE .PP \fB\-\-hash, \-h\fR .RS 4 Hash some data\&. .RE .PP \fB\-\-mechanism\fR \fImechanism\fR, \fB\-m\fR \fImechanism\fR .RS 4 Use the specified \fImechanism\fR for token operations\&. See \fB\-M\fR for a list of mechanisms supported by your token\&. .RE .PP \fB\-\-keypairgen, \-k\fR .RS 4 Generate a new key pair (public and private pair\&.) .RE .PP \fB\-\-write\-object\fR \fIid\fR, \fB\-w\fR \fIpath\fR .RS 4 Write a key or certificate object to the token\&. \fIpath\fR points to the DER\-encoded certificate or key file\&. .RE .PP \fB\-\-type\fR \fItype\fR, \fB\-y\fR \fItype\fR .RS 4 Specify the type of object to operate on\&. Examples are \fIcert\fR, \fIprivkey\fR and \fIpubkey\fR\&. .RE .PP \fB\-\-id\fR \fIid\fR, \fB\-d\fR \fIid\fR .RS 4 Specify the id of the object to operate on\&. .RE .PP \fB\-\-label\fR \fIname\fR, \fB\-a\fR \fIname\fR .RS 4 Specify the name of the object to operate on (or the token label when \fB\-\-init\-token\fR is used)\&. .RE .PP \fB\-\-slot\fR \fIid\fR .RS 4 Specify the id of the slot to use\&. .RE .PP \fB\-\-slot\-description\fR \fIdescription\fR .RS 4 Specify the description of the slot to use\&. .RE .PP \fB\-\-slot\-index\fR \fIindex\fR .RS 4 Specify the index of the slot to use\&. .RE .PP \fB\-\-token\-label\fR \fIlabel\fR .RS 4 Specify the label of token\&. Will be used the first slot, that has the inserted token with this label\&. .RE .PP \fB\-\-set\-id\fR \fIid\fR, \fB\-e\fR \fIid\fR .RS 4 Set the CKA_ID of the object\&. .RE .PP \fB\-\-attr\-from\fR \fIpath\fR .RS 4 Extract information from \fIpath\fR (DER\-encoded certificate file) and create the corresponding attributes when writing an object to the token\&. Example: the certificate subject name is used to create the CKA_SUBJECT attribute\&. .RE .PP \fB\-\-input\-file\fR \fIpath\fR, \fB\-i\fR \fIpath\fR .RS 4 Specify the path to a file for input\&. .RE .PP \fB\-\-output\-file\fR \fIpath\fR, \fB\-o\fR \fIpath\fR .RS 4 Specify the path to a file for output\&. .RE .PP \fB\-\-module\fR \fImod\fR .RS 4 Specify a PKCS#11 module (or library) to load\&. .RE .PP \fB\-\-moz\-cert\fR \fIpath\fR, \fB\-z\fR \fIpath\fR .RS 4 Tests a Mozilla\-like keypair generation and certificate request\&. Specify the \fIpath\fR to the certificate file\&. .RE .PP \fB\-\-verbose, \-v\fR .RS 4 Causes \fBpkcs11\-tool\fR to be more verbose\&. .sp NB! This does not affect OpenSC debugging level! To set OpenSC PKCS#11 module into debug mode, set the OPENSC_DEBUG environment variable to a non\-zero number\&. .RE