1YUBICO-PIV-TOOL(1)               User Commands              YUBICO-PIV-TOOL(1)
2
3
4

NAME

6       yubico-piv-tool - Yubico PIV tool
7

SYNOPSIS

9       yubico-piv-tool [OPTIONS]...
10

DESCRIPTION

12       yubico-piv-tool 1.6.2
13
14       -h, --help
15              Print help and exit
16
17       --full-help
18              Print help, including hidden options, and exit
19
20       -V, --version
21              Print version and exit
22
23       -v, --verbose[=INT]
24              Print more information  (default=`0')
25
26       -r, --reader=STRING
27              Only use a matching reader  (default=`Yubikey')
28
29       -k, --key[=STRING]
30              Management  key  to  use,  if  no value is specified key will be
31              asked                                                        for
32              (default=`010203040506070801020304050607080102030405060708')
33
34       -a, --action=ENUM
35              Action   to   take    (possible   values="version",  "generate",
36              "set-mgm-key",     "reset",     "pin-retries",     "import-key",
37              "import-certificate",  "set-chuid", "request-certificate", "ver‐
38              ify-pin",  "change-pin",  "change-puk",  "unblock-pin",   "self‐
39              sign-certificate",   "delete-certificate",   "read-certificate",
40              "status",  "test-signature",  "test-decipher",   "list-readers",
41              "set-ccc", "write-object", "read-object", "attest")
42
43              Multiple  actions  may  be given at once and will be executed in
44              order for example --action=verify-pin  --action=request-certifi‐
45              cate
46
47       -s, --slot=ENUM
48              What  key slot to operate on  (possible values="9a", "9c", "9d",
49              "9e", "82", "83", "84", "85",  "86",  "87",  "88",  "89",  "8a",
50              "8b",  "8c",  "8d",  "8e",  "8f",  "90", "91", "92", "93", "94",
51              "95", "f9")
52
53              9a is for PIV Authentication 9c is for  Digital  Signature  (PIN
54              always  checked) 9d is for Key Management 9e is for Card Authen‐
55              tication (PIN never checked) 82-95 is for Retired Key Management
56              f9 is for Attestation
57
58       -A, --algorithm=ENUM
59              What  algorithm  to  use  (possible values="RSA1024", "RSA2048",
60              "ECCP256", "ECCP384" default=`RSA2048')
61
62       -H, --hash=ENUM
63              Hash to use for signatures  (possible  values="SHA1",  "SHA256",
64              "SHA384", "SHA512" default=`SHA256')
65
66       -n, --new-key=STRING
67              New management key to use for action set-mgm-key, if omitted key
68              will be asked for
69
70       --pin-retries=INT
71              Number of retries before the pin code is blocked
72
73       --puk-retries=INT
74              Number of retries before the puk code is blocked
75
76       -i, --input=STRING
77              Filename to use as input, - for stdin  (default=`-')
78
79       -o, --output=STRING
80              Filename to use as output, - for stdout (default=`-')
81
82       -K, --key-format=ENUM
83              Format of the key being  read/written   (possible  values="PEM",
84              "PKCS12", "GZIP", "DER", "SSH" default=`PEM')
85
86       -p, --password=STRING
87              Password for decryption of private key file, if omitted password
88              will be asked for
89
90       -S, --subject=STRING
91              The subject to use for certificate request
92
93              The    subject    must    be    written    as:    /CN=host.exam‐
94              ple.com/OU=test/O=example.com/
95
96       --serial=INT
97              Serial number of the self-signed certificate
98
99       --valid-days=INT
100              Time   (in  days)  until  the  self-signed  certificate  expires
101              (default=`365')
102
103       -P, --pin=STRING
104              Pin/puk code for verification, if omitted pin/puk will be  asked
105              for
106
107       -N, --new-pin=STRING
108              New  pin/puk code for changing, if omitted pin/puk will be asked
109              for
110
111       --pin-policy=ENUM
112              Set pin policy for action generate or import-key.   Only  avail‐
113              able on YubiKey 4  (possible values="never", "once", "always")
114
115       --touch-policy=ENUM
116              Set touch policy for action generate, import-key or set-mgm-key.
117              Only available on YubiKey 4 (possible values="never",  "always",
118              "cached")
119
120       --id=INT
121              Id of object for write/read object
122
123       -f, --format=ENUM
124              Format  of  data  for write/read object  (possible values="hex",
125              "base64", "binary" default=`hex')
126

EXAMPLES

128       For more information about what's happening --verbose can be  added  to
129       any command. For much more information --verbose=2 may be used.
130
131       Display what version of the application is running on the YubiKey:
132
133          yubico-piv-tool -aversion
134
135       Generate a new ECC-P256 key on device in slot 9a, will print the public
136       key on stdout:
137
138          yubico-piv-tool -s9a -AECCP256 -agenerate
139
140       Generate a certificate request with public key from stdin,  will  print
141       the resulting request on stdout:
142
143          yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify \
144            -arequest
145
146       Generate  a  self-signed  certificate  with public key from stdin, will
147       print the certificate, for later import, on stdout:
148
149          yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify \
150            -aselfsign
151
152       Import a certificate from stdin:
153
154          yubico-piv-tool -s9a -aimport-certificate
155
156       Set a random chuid, import a key and import a certificate from a PKCS12
157       file, into slot 9c:
158
159          yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid \
160            -aimport-key -aimport-cert
161
162       Import  a certificate which is larger than 2048 bytes and thus requires
163       compression in order to fit:
164
165         openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
166         yubico-piv-tool -s9c -ider.gz -KGZIP -aimport-cert
167
168       Change the management key used for administrative authentication:
169
170          yubico-piv-tool -aset-mgm-key
171
172       Delete a certificate in slot 9a, with management key being asked for:
173
174         yubico-piv-tool -adelete-certificate -s9a -k
175
176       Show some information on certificates and other data:
177
178         yubico-piv-tool -astatus
179
180       Read out the certificate from a slot and then run a signature test:
181
182         yubico-piv-tool -aread-cert -s9a
183         yubico-piv-tool -averify-pin -atest-signature -s9a
184
185       Import a key into slot 85 (only available on YubiKey  4)  and  set  the
186       touch policy (also only available on YubiKey 4):
187
188         yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem
189
190
191
192yubico-piv-tool 1.6.2           September 2018              YUBICO-PIV-TOOL(1)
Impressum