1YUBICO-PIV-TOOL(1) User Commands YUBICO-PIV-TOOL(1)
2
6 yubico-piv-tool - Yubico PIV tool
7
9 yubico-piv-tool [OPTIONS]...
10
12 yubico-piv-tool 2.0.0
13 -h, --help
15 Print help and exit
16 --full-help
18 Print help, including hidden options, and exit
19 -V, --version
21 Print version and exit
22 -v, --verbose[=INT]
24 Print more information (default=`0')
25 -r, --reader=STRING
27 Only use a matching reader (default=`Yubikey')
28 -k, --key[=STRING]
30 Management key to use, if no value is specified key will be
31 asked for
32 (default=`010203040506070801020304050607080102030405060708')
33 -a, --action=ENUM
35 Action to take (possible values="version", "generate",
36 "set-mgm-key", "reset", "pin-retries", "import-key",
37 "import-certificate", "set-chuid", "request-certificate", "ver‐
38 ify-pin", "change-pin", "change-puk", "unblock-pin", "self‐
39 sign-certificate", "delete-certificate", "read-certificate",
40 "status", "test-signature", "test-decipher", "list-readers",
41 "set-ccc", "write-object", "read-object", "attest")
42 Multiple actions may be given at once and will be executed in
44 order for example --action=verify-pin --action=request-certifi‐
45 cate
46 -s, --slot=ENUM
48 What key slot to operate on (possible values="9a", "9c", "9d",
49 "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a",
50 "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94",
51 "95", "f9")
52 9a is for PIV Authentication 9c is for Digital Signature (PIN
54 always checked) 9d is for Key Management 9e is for Card Authen‐
55 tication (PIN never checked) 82-95 is for Retired Key Management
56 f9 is for Attestation
57 -A, --algorithm=ENUM
59 What algorithm to use (possible values="RSA1024", "RSA2048",
60 "ECCP256", "ECCP384" default=`RSA2048')
61 -H, --hash=ENUM
63 Hash to use for signatures (possible values="SHA1", "SHA256",
64 "SHA384", "SHA512" default=`SHA256')
65 -n, --new-key=STRING
67 New management key to use for action set-mgm-key, if omitted key
68 will be asked for
69 --pin-retries=INT
71 Number of retries before the pin code is blocked
72 --puk-retries=INT
74 Number of retries before the puk code is blocked
75 -i, --input=STRING
77 Filename to use as input, - for stdin (default=`-')
78 -o, --output=STRING
80 Filename to use as output, - for stdout (default=`-')
81 -K, --key-format=ENUM
83 Format of the key being read/written (possible values="PEM",
84 "PKCS12", "GZIP", "DER", "SSH" default=`PEM')
85 -p, --password=STRING
87 Password for decryption of private key file, if omitted password
88 will be asked for
89 -S, --subject=STRING
91 The subject to use for certificate request
92 The subject must be written as: /CN=host.exam‐
94 ple.com/OU=test/O=example.com/
95 --serial=INT
97 Serial number of the self-signed certificate
98 --valid-days=INT
100 Time (in days) until the self-signed certificate expires
101 (default=`365')
102 -P, --pin=STRING
104 Pin/puk code for verification, if omitted pin/puk will be asked
105 for
106 -N, --new-pin=STRING
108 New pin/puk code for changing, if omitted pin/puk will be asked
109 for
110 --pin-policy=ENUM
112 Set pin policy for action generate or import-key. Only avail‐
113 able on YubiKey 4 (possible values="never", "once", "always")
114 --touch-policy=ENUM
116 Set touch policy for action generate, import-key or set-mgm-key.
117 Only available on YubiKey 4 (possible values="never", "always",
118 "cached")
119 --id=INT
121 Id of object for write/read object
122 -f, --format=ENUM
124 Format of data for write/read object (possible values="hex",
125 "base64", "binary" default=`hex')
126
128 For more information about what's happening --verbose can be added to
129 any command. For much more information --verbose=2 may be used.
130 Display what version of the application is running on the YubiKey:
132 yubico-piv-tool -aversion
134 Generate a new ECC-P256 key on device in slot 9a, will print the public
136 key on stdout:
137 yubico-piv-tool -s9a -AECCP256 -agenerate
139 Generate a certificate request with public key from stdin, will print
141 the resulting request on stdout:
142 yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify \
144 -arequest
145 Generate a self-signed certificate with public key from stdin, will
147 print the certificate, for later import, on stdout:
148 yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify \
150 -aselfsign
151 Import a certificate from stdin:
153 yubico-piv-tool -s9a -aimport-certificate
155 Set a random chuid, import a key and import a certificate from a PKCS12
157 file, into slot 9c:
158 yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid \
160 -aimport-key -aimport-cert
161 Import a certificate which is larger than 2048 bytes and thus requires
163 compression in order to fit:
164 openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
166 yubico-piv-tool -s9c -ider.gz -KGZIP -aimport-cert
167 Change the management key used for administrative authentication:
169 yubico-piv-tool -aset-mgm-key
171 Delete a certificate in slot 9a, with management key being asked for:
173 yubico-piv-tool -adelete-certificate -s9a -k
175 Show some information on certificates and other data:
177 yubico-piv-tool -astatus
179 Read out the certificate from a slot and then run a signature test:
181 yubico-piv-tool -aread-cert -s9a
183 yubico-piv-tool -averify-pin -atest-signature -s9a
184 Import a key into slot 85 (only available on YubiKey 4) and set the
186 touch policy (also only available on YubiKey 4):
187 yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem
189yubico-piv-tool 2.0.0 January 2020 YUBICO-PIV-TOOL(1)