1YUBICO-PIV-TOOL(1) User Commands YUBICO-PIV-TOOL(1)
2
3
4
6 yubico-piv-tool - Yubico PIV tool
7
9 yubico-piv-tool [OPTIONS]...
10
12 yubico-piv-tool 1.6.2
13
14 -h, --help
15 Print help and exit
16
17 --full-help
18 Print help, including hidden options, and exit
19
20 -V, --version
21 Print version and exit
22
23 -v, --verbose[=INT]
24 Print more information (default=`0')
25
26 -r, --reader=STRING
27 Only use a matching reader (default=`Yubikey')
28
29 -k, --key[=STRING]
30 Management key to use, if no value is specified key will be
31 asked for
32 (default=`010203040506070801020304050607080102030405060708')
33
34 -a, --action=ENUM
35 Action to take (possible values="version", "generate",
36 "set-mgm-key", "reset", "pin-retries", "import-key",
37 "import-certificate", "set-chuid", "request-certificate", "ver‐
38 ify-pin", "change-pin", "change-puk", "unblock-pin", "self‐
39 sign-certificate", "delete-certificate", "read-certificate",
40 "status", "test-signature", "test-decipher", "list-readers",
41 "set-ccc", "write-object", "read-object", "attest")
42
43 Multiple actions may be given at once and will be executed in
44 order for example --action=verify-pin --action=request-certifi‐
45 cate
46
47 -s, --slot=ENUM
48 What key slot to operate on (possible values="9a", "9c", "9d",
49 "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a",
50 "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94",
51 "95", "f9")
52
53 9a is for PIV Authentication 9c is for Digital Signature (PIN
54 always checked) 9d is for Key Management 9e is for Card Authen‐
55 tication (PIN never checked) 82-95 is for Retired Key Management
56 f9 is for Attestation
57
58 -A, --algorithm=ENUM
59 What algorithm to use (possible values="RSA1024", "RSA2048",
60 "ECCP256", "ECCP384" default=`RSA2048')
61
62 -H, --hash=ENUM
63 Hash to use for signatures (possible values="SHA1", "SHA256",
64 "SHA384", "SHA512" default=`SHA256')
65
66 -n, --new-key=STRING
67 New management key to use for action set-mgm-key, if omitted key
68 will be asked for
69
70 --pin-retries=INT
71 Number of retries before the pin code is blocked
72
73 --puk-retries=INT
74 Number of retries before the puk code is blocked
75
76 -i, --input=STRING
77 Filename to use as input, - for stdin (default=`-')
78
79 -o, --output=STRING
80 Filename to use as output, - for stdout (default=`-')
81
82 -K, --key-format=ENUM
83 Format of the key being read/written (possible values="PEM",
84 "PKCS12", "GZIP", "DER", "SSH" default=`PEM')
85
86 -p, --password=STRING
87 Password for decryption of private key file, if omitted password
88 will be asked for
89
90 -S, --subject=STRING
91 The subject to use for certificate request
92
93 The subject must be written as: /CN=host.exam‐
94 ple.com/OU=test/O=example.com/
95
96 --serial=INT
97 Serial number of the self-signed certificate
98
99 --valid-days=INT
100 Time (in days) until the self-signed certificate expires
101 (default=`365')
102
103 -P, --pin=STRING
104 Pin/puk code for verification, if omitted pin/puk will be asked
105 for
106
107 -N, --new-pin=STRING
108 New pin/puk code for changing, if omitted pin/puk will be asked
109 for
110
111 --pin-policy=ENUM
112 Set pin policy for action generate or import-key. Only avail‐
113 able on YubiKey 4 (possible values="never", "once", "always")
114
115 --touch-policy=ENUM
116 Set touch policy for action generate, import-key or set-mgm-key.
117 Only available on YubiKey 4 (possible values="never", "always",
118 "cached")
119
120 --id=INT
121 Id of object for write/read object
122
123 -f, --format=ENUM
124 Format of data for write/read object (possible values="hex",
125 "base64", "binary" default=`hex')
126
128 For more information about what's happening --verbose can be added to
129 any command. For much more information --verbose=2 may be used.
130
131 Display what version of the application is running on the YubiKey:
132
133 yubico-piv-tool -aversion
134
135 Generate a new ECC-P256 key on device in slot 9a, will print the public
136 key on stdout:
137
138 yubico-piv-tool -s9a -AECCP256 -agenerate
139
140 Generate a certificate request with public key from stdin, will print
141 the resulting request on stdout:
142
143 yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify \
144 -arequest
145
146 Generate a self-signed certificate with public key from stdin, will
147 print the certificate, for later import, on stdout:
148
149 yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify \
150 -aselfsign
151
152 Import a certificate from stdin:
153
154 yubico-piv-tool -s9a -aimport-certificate
155
156 Set a random chuid, import a key and import a certificate from a PKCS12
157 file, into slot 9c:
158
159 yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid \
160 -aimport-key -aimport-cert
161
162 Import a certificate which is larger than 2048 bytes and thus requires
163 compression in order to fit:
164
165 openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
166 yubico-piv-tool -s9c -ider.gz -KGZIP -aimport-cert
167
168 Change the management key used for administrative authentication:
169
170 yubico-piv-tool -aset-mgm-key
171
172 Delete a certificate in slot 9a, with management key being asked for:
173
174 yubico-piv-tool -adelete-certificate -s9a -k
175
176 Show some information on certificates and other data:
177
178 yubico-piv-tool -astatus
179
180 Read out the certificate from a slot and then run a signature test:
181
182 yubico-piv-tool -aread-cert -s9a
183 yubico-piv-tool -averify-pin -atest-signature -s9a
184
185 Import a key into slot 85 (only available on YubiKey 4) and set the
186 touch policy (also only available on YubiKey 4):
187
188 yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem
189
190
191
192yubico-piv-tool 1.6.2 September 2018 YUBICO-PIV-TOOL(1)