1PKCS11-TOOL(1) OpenSC Tools PKCS11-TOOL(1)
2
3
4
6 pkcs11-tool - utility for managing and using PKCS #11 security tokens
7
9 pkcs11-tool [OPTIONS]
10
12 The pkcs11-tool utility is used to manage the data objects on smart
13 cards and similar PKCS #11 security tokens. Users can list and read
14 PINs, keys and certificates stored on the token. User PIN
15 authentication is performed for those operations that require it.
16
18 --attr-from path
19 Extract information from path (DER-encoded certificate file) and
20 create the corresponding attributes when writing an object to the
21 token. Example: the certificate subject name is used to create the
22 CKA_SUBJECT attribute.
23
24 --change-pin, -c
25 Change the user PIN on the token
26
27 --unlock-pin
28 Unlock User PIN (without --login unlock in logged in session;
29 otherwise --login-type has to be 'context-specific').
30
31 --hash, -h
32 Hash some data.
33
34 --id id, -d id
35 Specify the id of the object to operate on.
36
37 --init-pin
38 Initializes the user PIN. This option differs from --change-pin in
39 that it sets the user PIN for the first time. Once set, the user
40 PIN can be changed using --change-pin.
41
42 --init-token
43 Initialize a token: set the token label as well as a Security
44 Officer PIN (the label must be specified using --label).
45
46 --input-file path, -i path
47 Specify the path to a file for input.
48
49 --keypairgen, -k
50 Generate a new key pair (public and private pair.)
51
52 --key-type <replacement>specification</replacement>
53 Specify the type and length of the key to create, for example
54 rsa:1024 or EC:prime256v1.
55
56 --usage-sign
57 Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in
58 pubkey).
59
60 --usage-decrypt
61 Specify 'decrypt' key usage flag (RSA only, set DECRYPT privkey,
62 ENCRYPT in pubkey).
63
64 --usage-derive
65 Specify 'derive' key usage flag (EC only).
66
67 --label name, -a name
68 Specify the name of the object to operate on (or the token label
69 when --init-token is used).
70
71 --list-mechanisms, -M
72 Display a list of mechanisms supported by the token.
73
74 --list-objects, -O
75 Display a list of objects.
76
77 --list-slots, -L
78 Display a list of available slots on the token.
79
80 --list-token-slots, -T
81 List slots with tokens.
82
83 --login, -l
84 Authenticate to the token before performing other operations. This
85 option is not needed if a PIN is provided on the command line.
86
87 --login-type
88 Specify login type ('so', 'user', 'context-specific';
89 default:'user').
90
91 --mechanism mechanism, -m mechanism
92 Use the specified mechanism for token operations. See -M for a list
93 of mechanisms supported by your token. The mechanism can also be
94 specified in hexadecimal, e.g., 0x80001234.
95
96 --module mod
97 Specify a PKCS#11 module (or library) to load.
98
99 --moz-cert path, -z path
100 Test a Mozilla-like keypair generation and certificate request.
101 Specify the path to the certificate file.
102
103 --output-file path, -o path
104 Specify the path to a file for output.
105
106 --pin pin, -p pin
107 Use the given pin for token operations. If set to env:VARIABLE, the
108 value of the environment variable VARIABLE is used. WARNING: Be
109 careful using this option as other users may be able to read the
110 command line from the system or if it is embedded in a script. If
111 set to env:VARIABLE, the value of the environment variable VARIABLE
112 is used.
113
114 This option will also set the --login option.
115
116 --puk puk
117 Supply User PUK on the command line.
118
119 --new-pin pin
120 Supply new User PIN on the command line.
121
122 --set-id id, -e id
123 Set the CKA_ID of the object.
124
125 --show-info, -I
126 Display general token information.
127
128 --sign, -s
129 Sign some data.
130
131 --decrypt,
132 Decrypt some data.
133
134 --derive,
135 Derive a secret key using another key and some data.
136
137 --slot id
138 Specify the id of the slot to use.
139
140 --slot-description description
141 Specify the description of the slot to use.
142
143 --slot-index index
144 Specify the index of the slot to use.
145
146 --token-label label
147 Specify the label of token. Will be used the first slot, that has
148 the inserted token with this label.
149
150 --so-pin pin
151 Use the given pin as the Security Officer PIN for some token
152 operations (token initialization, user PIN initialization, etc). If
153 set to env:VARIABLE, the value of the environment variable VARIABLE
154 is used. The same warning as --pin also applies here.
155
156 --test, -t
157 Perform some tests on the token. This option is most useful when
158 used with either --login or --pin.
159
160 --test-hotplug
161 Test hotplug capabilities (C_GetSlotList + C_WaitForSlotEvent).
162
163 --private
164 Set the CKA_PRIVATE attribute (object is only viewable after a
165 login).
166
167 --test-ec
168 Test EC (best used with the --login or --pin option).
169
170 --test-fork
171 Test forking and calling C_Initialize() in the child.
172
173 --type type, -y type
174 Specify the type of object to operate on. Examples are cert,
175 privkey and pubkey.
176
177 --verbose, -v
178 Cause pkcs11-tool to be more verbose.
179
180 NB! This does not affect OpenSC debugging level! To set OpenSC
181 PKCS#11 module into debug mode, set the OPENSC_DEBUG environment
182 variable to a non-zero number.
183
184 --read-object, -r
185 Get object's CKA_VALUE attribute (use with --type).
186
187 --delete-object, -b
188 Delete an object.
189
190 --application-label label
191 Specify the application label of the data object (use with --type
192 data).
193
194 --application-id id
195 Specify the application ID of the data object (use with --type
196 data).
197
198 --issuer data
199 Specify the issuer in hexadecimal format (use with --type cert).
200
201 --subject data
202 Specify the subject in hexadecimal format (use with --type
203 cert/privkey/pubkey).
204
205 --signature-format format
206 Format for ECDSA signature: 'rs' (default), 'sequence', 'openssl'.
207
208 --write-object id, -w path
209 Write a key or certificate object to the token. path points to the
210 DER-encoded certificate or key file.
211
212
213
214opensc 10/30/2018 PKCS11-TOOL(1)