1P11-KIT(8)                      System Commands                     P11-KIT(8)
2
3
4

NAME

6       p11-kit - Tool for operating on configured PKCS#11 modules
7

SYNOPSIS

9       p11-kit list-modules
10
11       p11-kit list-tokens ...
12
13       p11-kit list-objects ...
14
15       p11-kit import-object ...
16
17       p11-kit export-object ...
18
19       p11-kit delete-object ...
20
21       p11-kit generate-keypair ...
22
23       p11-kit list-profiles ...
24
25       p11-kit add-profile ...
26
27       p11-kit delete-profile ...
28
29       p11-kit list-mechanisms ...
30
31       p11-kit print-config
32
33       p11-kit extract ...
34
35       p11-kit server ...
36

DESCRIPTION

38       p11-kit is a command line tool that can be used to perform operations
39       on PKCS#11 modules configured on the system.
40
41       See the various sub commands below. The following global options can be
42       used:
43
44       -v, --verbose
45           Run in verbose mode with debug output.
46
47       -q, --quiet
48           Run in quiet mode without warning or failure messages.
49

LIST MODULES

51       List system configured PKCS#11 modules.
52
53           $ p11-kit list-modules
54
55       The modules, information about them and the tokens present in the
56       PKCS#11 modules will be displayed.
57

LIST TOKENS

59       List all tokens available in system configured PKCS#11 modules.
60
61           $ p11-kit list-tokens [--only-uris] pkcs11:token
62
63       This retrieves all tokens and displays some of their common attributes.
64       If --only-uris is given, only the matching token URIs are printed.
65

LIST OBJECTS

67       List objects matching given PKCS#11 URI.
68
69           $ p11-kit list-objects [--login] pkcs11:object_on_token
70
71       This retrieves all objects that match given PKCS#11 URI and displays
72       some of their common attributes. Storage objects also have their
73       PKCS#11 URI displayed.
74

IMPORT OBJECT

76       Import object into PKCS#11 token.
77
78           $ p11-kit import-object --file=file.pem [--label=label] [--login] pkcs11:token
79
80       Takes either an X.509 certificate or a public key in the form of a PEM
81       file and imports it into the first token matched by given PKCS#11 URI.
82
83       --file=<file.pem>
84           File containing either an X.509 certificate or a public key in PEM
85           format. This option is required.
86
87       --label=<label>
88           Assigns label to the imported object.
89

EXPORT OBJECT

91       Export object matching PKCS#11 URI.
92
93           $ p11-kit export-object [--login] pkcs11:object_on_token
94
95       Displays PEM formatted contents of the first object matched by given
96       PKCS#11 URI. The matched object has to either be an X.509 certificate
97       or a public key.
98

DELETE OBJECT

100       Delete object matching PKCS#11 URI.
101
102           $ p11-kit delete-object [--login] pkcs11:object_on_token
103
104       Destroys the first object matched by given PKCS#11 URI.
105

GENERATE KEY-PAIR

107       Generate key-pair on a PKCS#11 token.
108
109           $ p11-kit generate-keypair --type=algorithm {--bits=n|--curve=name} [--label=label] [--login] pkcs11:token
110
111       Generate private-public key-pair of given type on the first token
112       matched by given PKCS#11 URI. This command should be used together with
113       --type option and one of --bits or --curve options.
114
115       --type=<algorithm>
116           Specify the type of keys to generate. Supported values are rsa,
117           ecdsa and ed25519. This option is required.
118
119       --bits=<n>
120           Specify the number of bits for the key-pair generation. Cannot be
121           used together with --curve option.
122
123       --curve=<name>
124           Specify an elliptic curve for the key-pair generation. Supported
125           values are secp256r1, secp384r1, secp521r1, ed25519 and ed448.
126           Cannot be used together with --bits option.
127
128       --label=<label>
129           Assigns label to the generated key-pair objects.
130

LIST PROFILES

132       List PKCS#11 profiles supported by the token.
133
134           $ p11-kit list-profiles [--login] pkcs11:token
135
136       Displays profile IDs of the first token matched by given PKCS#11 URI in
137       human-readable form.
138

ADD PROFILE

140       Add PKCS#11 profile to a token.
141
142           $ p11-kit add-profile --profile=profile [--login] pkcs11:token
143
144       Creates new profile object with given profile ID on the first token
145       matched by given PKCS#11 URI. This command fails if the profile ID
146       already exists on the token.
147
148       --profile=<profile>
149           Profile ID to add. Value can either be numerical or textual. This
150           option is required.
151

DELETE PROFILE

153       Delete PKCS#11 profile from a token.
154
155           $ p11-kit delete-profile --profile=profile [--login] pkcs11:token
156
157       Destroys all profile objects with given profile ID from the first token
158       matched by given PKCS#11 URI.
159
160       --profile=<profile>
161           Profile ID to delete. Value can either be numerical or textual.
162           This option is required.
163

LIST MECHANISMS

165       List PKCS#11 mechanisms supported by the token.
166
167           $ p11-kit list-mechanisms pkcs11:token
168
169       This lists all available mechanimsms for a PKCS#11 token
170

PRINT CONFIG

172       Print merged configuration.
173
174           $ p11-kit print-config
175
176       P11-kit provides 3 levels of configuration: system wide, per-module,
177       and per-user. At run-time all 3 levels are merged into a single
178       configuration. This command displays the merged configuration.
179

EXTRACT

181       Extract certificates from configured PKCS#11 modules.
182
183       This operation has been moved to a separate command trust extract. See
184       trust(1) for more information
185

SERVER

187       Run a server process that exposes PKCS#11 module remotely.
188
189           $ p11-kit server pkcs11:token1 pkcs11:token2 ...
190           $ p11-kit server --provider /path/to/pkcs11-module.so pkcs11:token1 pkcs11:token2 ...
191
192       This launches a server that exposes the given PKCS#11 tokens on a local
193       socket. The tokens must belong to the same module. To access the
194       socket, use p11-kit-client.so module. The server address and PID are
195       printed as a shell-script snippet which sets the appropriate
196       environment variable: P11_KIT_SERVER_ADDRESS and P11_KIT_SERVER_PID.
197

EXTRACT TRUST

199       Extract standard trust information files.
200
201       This operation has been moved to a separate command trust
202       extract-compat. See trust(1) for more information
203

REMOTE

205       Run a PKCS#11 module remotely.
206
207           $ p11-kit remote /path/to/pkcs11-module.so
208           $ p11-kit remote pkcs11:token1 pkcs11:token2 ...
209
210       This is not meant to be run directly from a terminal. But rather in a
211       remote option in a pkcs11.conf(5) file.
212
213       This exposes the given PKCS#11 module or tokens over standard input and
214       output. Those two forms, whether to expose a module or tokens, are
215       mutually exclusive and if the second form is used, the tokens must
216       belong to the same module.
217

BUGS

219       Please send bug reports to either the distribution bug tracker or the
220       upstream bug tracker at https://github.com/p11-glue/p11-kit/issues/.
221

SEE ALSO

223       pkcs11.conf(5)
224
225       Further details available in the p11-kit online documentation at
226       https://p11-glue.github.io/p11-glue/p11-kit/manual/.
227
228
229
230p11-kit                                                             P11-KIT(8)