1p11tool(1) User Commands p11tool(1)
2
6 p11tool - GnuTLS PKCS #11 tool
7
9 p11tool [-flags] [-flag [value]] [--option-name[[=| ]value]] [url]
10 Operands and options may be intermixed. They will be reordered.
12
15 Program that allows operations on PKCS #11 smart cards and security
16 modules.
17 To use PKCS #11 tokens with GnuTLS the p11-kit configuration files need
19 to be setup. That is create a .module file in /etc/pkcs11/modules with
20 the contents 'module: /path/to/pkcs11.so'. Alternatively the configu‐
21 ration file /etc/gnutls/pkcs11.conf has to exist and contain a number
22 of lines of the form 'load=/usr/lib/opensc-pkcs11.so'.
23 You can provide the PIN to be used for the PKCS #11 operations with the
25 environment variables GNUTLS_PIN and GNUTLS_SO_PIN.
26
29 -d number, --debug=number
30 Enable debugging. This option takes an integer number as its
31 argument. The value of number is constrained to being:
32 in the range 0 through 9999
33 Specifies the debug level.
35 --outfile=string
37 Output file.
38 --list-tokens
41 List all available tokens.
42 --export
45 Export the object specified by the URL.
46 --export-chain
49 Export the certificate specified by the URL and its chain of
50 trust.
51 Exports the certificate specified by the URL and generates its
53 chain of trust based on the stored certificates in the module.
54 --list-mechanisms
56 List all available mechanisms in a token.
57 --info List information on an available object in a token.
60 --list-all
63 List all available objects in a token.
64 --list-all-certs
67 List all available certificates in a token.
68 --list-certs
71 List all certificates that have an associated private key.
72 --list-all-privkeys
75 List all available private keys in a token.
76 Lists all the private keys in a token that match the specified
78 URL.
79 --list-privkeys
81 This is an alias for the --list-all-privkeys option.
82 --list-keys
84 This is an alias for the --list-all-privkeys option.
85 --list-all-trusted
87 List all available certificates marked as trusted.
88 --write
91 Writes the loaded objects to a PKCS #11 token.
92 It can be used to write private keys, certificates or secret
94 keys to a token.
95 --delete
97 Deletes the objects matching the PKCS #11 URL.
98 --generate-random=number
101 Generate random data. This option takes an integer number as
102 its argument.
103 Asks the token to generate a number of bytes of random bytes.
105 --generate-rsa
107 Generate an RSA private-public key pair.
108 Generates an RSA private-public key pair on the specified token.
110 --generate-dsa
112 Generate a DSA private-public key pair.
113 Generates a DSA private-public key pair on the specified token.
115 --generate-ecc
117 Generate an ECDSA private-public key pair.
118 Generates an ECDSA private-public key pair on the specified
120 token.
121 --export-pubkey
123 Export the public key for a private key.
124 Exports the public key for the specified private key
126 --set-id=string
128 Set the CKA_ID (in hex) for the specified by the URL object.
129 Sets the CKA_ID in the specified by the URL object. The ID
131 should be specified in hexadecimal format without a '0x' prefix.
132 --set-label=string
134 Set the CKA_LABEL for the specified by the URL object.
135 Sets the CKA_LABEL in the specified by the URL object
137 --label=string
139 Sets a label for the write operation.
140 --id=string
143 Sets an ID for the write operation.
144 Sets the CKA_ID to be set by the write operation. The ID should
146 be specified in hexadecimal format without a '0x' prefix.
147 --mark-wrap, --no-mark-wrap
149 Marks the generated key to be a wrapping key. The no-mark-wrap
150 form will disable the option.
151 Marks the generated key with the CKA_WRAP flag.
153 --mark-trusted, --no-mark-trusted
155 Marks the object to be written as trusted. The no-mark-trusted
156 form will disable the option.
157 Marks the object to be generated/copied with the CKA_TRUST flag.
159 --mark-ca, --no-mark-ca
161 Marks the object to be written as a CA. The no-mark-ca form
162 will disable the option.
163 Marks the object to be generated/copied with the CKA_CERTIFI‐
165 CATE_CATEGORY as CA.
166 --mark-private, --no-mark-private
168 Marks the object to be written as private. The no-mark-private
169 form will disable the option. This option is enabled by
170 default.
171 Marks the object to be generated/copied with the CKA_PRIVATE
173 flag. The written object will require a PIN to be used.
174 --trusted
176 This is an alias for the --mark-trusted option.
177 --ca This is an alias for the --mark-ca option.
179 --private
181 This is an alias for the --mark-private option.
182 --login, --no-login
184 Force (user) login to token. The no-login form will disable the
185 option.
186 --so-login, --no-so-login
189 Force security officer login to token. The no-so-login form
190 will disable the option.
191 Forces login to the token as security officer (admin).
193 --admin-login
195 This is an alias for the --so-login option.
196 --detailed-url, --no-detailed-url
198 Print detailed URLs. The no-detailed-url form will disable the
199 option.
200 --secret-key=string
203 Provide a hex encoded secret key.
204 --load-privkey=file
207 Private key file to use.
208 --load-pubkey=file
211 Public key file to use.
212 --load-certificate=file
215 Certificate file to use.
216 -8, --pkcs8
219 Use PKCS #8 format for private keys.
220 --bits=number
223 Specify the number of bits for key generate. This option takes
224 an integer number as its argument.
225 --curve=string
228 Specify the curve used for EC key generation.
229 Supported values are secp192r1, secp224r1, secp256r1, secp384r1
231 and secp521r1.
232 --sec-param=security parameter
234 Specify the security level.
235 This is alternative to the bits option. Available options are
237 [low, legacy, medium, high, ultra].
238 --inder, --no-inder
240 Use DER/RAW format for input. The no-inder form will disable
241 the option.
242 Use DER/RAW format for input certificates and private keys.
244 --inraw
246 This is an alias for the --inder option.
247 --outder, --no-outder
249 Use DER format for output certificates, private keys, and DH
250 parameters. The no-outder form will disable the option.
251 The output will be in DER or RAW format.
253 --outraw
255 This is an alias for the --outder option.
256 --initialize
258 Initializes a PKCS #11 token.
259 --set-pin=string
262 Specify the PIN to use on token initialization.
263 Alternatively the GNUTLS_PIN environment variable may be used.
265 --set-so-pin=string
267 Specify the Security Officer's PIN to use on token initializa‐
268 tion.
269 Alternatively the GNUTLS_SO_PIN environment variable may be
271 used.
272 --provider=file
274 Specify the PKCS #11 provider library.
275 This will override the default options in
277 /etc/gnutls/pkcs11.conf
278 --batch
280 Disable all interaction with the tool. All parameters need to be
281 specified on command line..
282 -h, --help
285 Display usage information and exit.
286 -!, --more-help
288 Pass the extended usage information through a pager.
289 -v [{v|c|n --version [{v|c|n}]}]
291 Output version of program and exit. The default mode is `v', a
292 simple version. The `c' mode will print copyright information
293 and `n' will print the full copyright notice.
294
296 To view all tokens in your system use:
297 $ p11tool --list-tokens
298 To view all objects in a token use:
300 $ p11tool --login --list-all "pkcs11:TOKEN-URL"
301 To store a private key and a certificate in a token run:
303 $ p11tool --login --write "pkcs11:URL" --load-privkey key.pem --label "Mykey"
304 $ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem --label "Mykey"
305 Note that some tokens require the same label to be used for the cer‐
306 tificate and its corresponding private key.
307 To generate an RSA private key inside the token use:
309 $ p11tool --login --generate-rsa --bits 1024 --label "MyNewKey" --outfile MyNewKey.pub "pkcs11:TOKEN-URL"
310 The bits parameter in the above example is explicitly set because some
311 tokens only support limited choices in the bit length. The output file
312 is the corresponding public key. This key can be used to general a cer‐
313 tificate request with certtool.
314 certtool --generate-request --load-privkey "pkcs11:KEY-URL" --load-pubkey MyNewKey.pub --outfile request.pem
315
318 One of the following exit values will be returned:
319 0 (EXIT_SUCCESS)
321 Successful program execution.
322 1 (EXIT_FAILURE)
324 The operation failed or the command syntax was not valid.
325 70 (EX_SOFTWARE)
327 libopts had an internal operational error. Please report it to
328 autogen-users@lists.sourceforge.net. Thank you.
329
331 certtool (1)
332
334 Nikos Mavrogiannopoulos, Simon Josefsson and others; see
335 /usr/share/doc/gnutls/AUTHORS for a complete list.
336
338 Copyright (C) 2000-2018 Free Software Foundation, and others all rights
339 reserved. This program is released under the terms of the GNU General
340 Public License, version 3 or later.
341
343 Please send bug reports to: bugs@gnutls.org
344
346 This manual page was AutoGen-erated from the p11tool option defini‐
347 tions.
3483.3.29 16 Feb 2018 p11tool(1)