1PKCS11-TOOL(1) OpenSC tools PKCS11-TOOL(1)
2
6 pkcs11-tool - utility for managing and using PKCS #11 security tokens
7
9 pkcs11-tool [OPTIONS]
10
12 The pkcs11-tool utility is used to manage the data objects on smart
13 cards and similar PKCS #11 security tokens. Users can list and read
14 PINs, keys and certificates stored on the token. User PIN
15 authentication is performed for those operations that require it.
16
18 --login, -l
19 Authenticate to the token before performing other operations. This
20 option is not needed if a PIN is provided on the command line.
21 --pin pin, -p pin
23 Use the given pin for token operations. WARNING: Be careful using
24 this option as other users may be able to read the command line
25 from the system or if it is embedded in a script.
26 This option will also set the --login option.
28 --so-pin pin
30 Use the given pin as the Security Officer PIN for some token
31 operations (token initialization, user PIN initialization, etc).
32 The same warning as --pin also applies here.
33 --init-token
35 Initializes a token: set the token label as well as a Security
36 Officer PIN (the label must be specified using --label).
37 --init-pin
39 Initializes the user PIN. This option differs from --change-pin in
40 that it sets the user PIN for the first time. Once set, the user
41 PIN can be changed using --change-pin.
42 --change-pin, -c
44 Change the user PIN on the token
45 --test, -t
47 Performs some tests on the token. This option is most useful when
48 used with either --login or --pin.
49 --show-info, -I
51 Displays general token information.
52 --list-slots, -L
54 Displays a list of available slots on the token.
55 --list-mechanisms, -M
57 Displays a list of mechanisms supported by the token.
58 --list-objects, -O
60 Displays a list of objects.
61 --sign, s
63 Sign some data.
64 --hash, -h
66 Hash some data.
67 --mechanism mechanism, -m mechanism
69 Use the specified mechanism for token operations. See -M for a list
70 of mechanisms supported by your token.
71 --keypairgen, -k
73 Generate a new key pair (public and private pair.)
74 --write-object id, -w id
76 Write a key or certificate object to the token.
77 --type type, -y type
79 Specify the type of object to operate on. Examples are cert,
80 privkey and pubkey.
81 --id id, -d id
83 Specify the id of the object to operate on.
84 --label name, -a name
86 Specify the name of the object to operate on (or the token label
87 when --init-token is used).
88 --slot id
90 Specify the id of the slot to use.
91 --slot-id name
93 Specify the name of the slot to use.
94 --set-id id, -e id
96 Set the CKA_ID of the object.
97 --attr-from path
99 Extract information from path (DER-encoded certificate file) and
100 create the corresponding attributes when writing an object to the
101 token. Example: the certificate subject name is used to create the
102 CKA_SUBJECT attribute.
103 --input-file path, -i path
105 Specify the path to a file for input.
106 --output-file path, -o path
108 Specify the path to a file for output.
109 --module mod
111 Specify a PKCS#11 module (or library) to load.
112 --moz-cert path, -z path
114 Tests a Mozilla-like keypair generation and certificate request.
115 Specify the path to the certificate file.
116 --verbose, -v
118 Causes pkcs11-tool to be more verbose. Specify this flag several
119 times to enable debug output in the OpenSC library.
120
122 opensc(7)
123opensc 02/16/2010 PKCS11-TOOL(1)