1PKCS11-TOOL(1)                   OpenSC Tools                   PKCS11-TOOL(1)
2
3
4

NAME

6       pkcs11-tool - utility for managing and using PKCS #11 security tokens
7

SYNOPSIS

9       pkcs11-tool [OPTIONS]
10

DESCRIPTION

12       The pkcs11-tool utility is used to manage the data objects on smart
13       cards and similar PKCS #11 security tokens. Users can list and read
14       PINs, keys and certificates stored on the token. User PIN
15       authentication is performed for those operations that require it.
16

OPTIONS

18       --attr-from path
19           Extract information from path (DER-encoded certificate file) and
20           create the corresponding attributes when writing an object to the
21           token. Example: the certificate subject name is used to create the
22           CKA_SUBJECT attribute.
23
24       --change-pin, -c
25           Change the user PIN on the token
26
27       --unlock-pin
28           Unlock User PIN (without --login unlock in logged in session;
29           otherwise --login-type has to be 'context-specific').
30
31       --hash, -h
32           Hash some data.
33
34       --id id, -d id
35           Specify the id of the object to operate on.
36
37       --init-pin
38           Initializes the user PIN. This option differs from --change-pin in
39           that it sets the user PIN for the first time. Once set, the user
40           PIN can be changed using --change-pin.
41
42       --init-token
43           Initialize a token: set the token label as well as a Security
44           Officer PIN (the label must be specified using --label).
45
46       --input-file path, -i path
47           Specify the path to a file for input.
48
49       --keypairgen, -k
50           Generate a new key pair (public and private pair.)
51
52       --key-type <replacement>specification</replacement>
53           Specify the type and length of the key to create, for example
54           rsa:1024 or EC:prime256v1.
55
56       --usage-sign
57           Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in
58           pubkey).
59
60       --usage-decrypt
61           Specify 'decrypt' key usage flag (RSA only, set DECRYPT privkey,
62           ENCRYPT in pubkey).
63
64       --usage-derive
65           Specify 'derive' key usage flag (EC only).
66
67       --label name, -a name
68           Specify the name of the object to operate on (or the token label
69           when --init-token is used).
70
71       --list-mechanisms, -M
72           Display a list of mechanisms supported by the token.
73
74       --list-objects, -O
75           Display a list of objects.
76
77       --list-slots, -L
78           Display a list of available slots on the token.
79
80       --list-token-slots, -T
81           List slots with tokens.
82
83       --login, -l
84           Authenticate to the token before performing other operations. This
85           option is not needed if a PIN is provided on the command line.
86
87       --login-type
88           Specify login type ('so', 'user', 'context-specific';
89           default:'user').
90
91       --mechanism mechanism, -m mechanism
92           Use the specified mechanism for token operations. See -M for a list
93           of mechanisms supported by your token. The mechanism can also be
94           specified in hexadecimal, e.g., 0x80001234.
95
96       --module mod
97           Specify a PKCS#11 module (or library) to load.
98
99       --moz-cert path, -z path
100           Test a Mozilla-like keypair generation and certificate request.
101           Specify the path to the certificate file.
102
103       --output-file path, -o path
104           Specify the path to a file for output.
105
106       --pin pin, -p pin
107           Use the given pin for token operations. If set to env:VARIABLE, the
108           value of the environment variable VARIABLE is used. WARNING: Be
109           careful using this option as other users may be able to read the
110           command line from the system or if it is embedded in a script. If
111           set to env:VARIABLE, the value of the environment variable VARIABLE
112           is used.
113
114           This option will also set the --login option.
115
116       --puk puk
117           Supply User PUK on the command line.
118
119       --new-pin pin
120           Supply new User PIN on the command line.
121
122       --set-id id, -e id
123           Set the CKA_ID of the object.
124
125       --show-info, -I
126           Display general token information.
127
128       --sign, -s
129           Sign some data.
130
131       --decrypt,
132           Decrypt some data.
133
134       --derive,
135           Derive a secret key using another key and some data.
136
137       --slot id
138           Specify the id of the slot to use.
139
140       --slot-description description
141           Specify the description of the slot to use.
142
143       --slot-index index
144           Specify the index of the slot to use.
145
146       --token-label label
147           Specify the label of token. Will be used the first slot, that has
148           the inserted token with this label.
149
150       --so-pin pin
151           Use the given pin as the Security Officer PIN for some token
152           operations (token initialization, user PIN initialization, etc). If
153           set to env:VARIABLE, the value of the environment variable VARIABLE
154           is used. The same warning as --pin also applies here.
155
156       --test, -t
157           Perform some tests on the token. This option is most useful when
158           used with either --login or --pin.
159
160       --test-hotplug
161           Test hotplug capabilities (C_GetSlotList + C_WaitForSlotEvent).
162
163       --private
164           Set the CKA_PRIVATE attribute (object is only viewable after a
165           login).
166
167       --test-ec
168           Test EC (best used with the --login or --pin option).
169
170       --test-fork
171           Test forking and calling C_Initialize() in the child.
172
173       --type type, -y type
174           Specify the type of object to operate on. Examples are cert,
175           privkey and pubkey.
176
177       --verbose, -v
178           Cause pkcs11-tool to be more verbose.
179
180           NB! This does not affect OpenSC debugging level! To set OpenSC
181           PKCS#11 module into debug mode, set the OPENSC_DEBUG environment
182           variable to a non-zero number.
183
184       --read-object, -r
185           Get object's CKA_VALUE attribute (use with --type).
186
187       --delete-object, -b
188           Delete an object.
189
190       --application-label label
191           Specify the application label of the data object (use with --type
192           data).
193
194       --application-id id
195           Specify the application ID of the data object (use with --type
196           data).
197
198       --issuer data
199           Specify the issuer in hexadecimal format (use with --type cert).
200
201       --subject data
202           Specify the subject in hexadecimal format (use with --type
203           cert/privkey/pubkey).
204
205       --signature-format format
206           Format for ECDSA signature: 'rs' (default), 'sequence', 'openssl'.
207
208       --write-object id, -w path
209           Write a key or certificate object to the token.  path points to the
210           DER-encoded certificate or key file.
211
212
213
214opensc                            10/30/2018                    PKCS11-TOOL(1)
Impressum