1YUBICO-PIV-TOOL(1)               User Commands              YUBICO-PIV-TOOL(1)
2
3
4

NAME

6       yubico-piv-tool - manual page for yubico-piv-tool 2.1.1
7

SYNOPSIS

9       yubico-piv-tool [OPTION]...
10

DESCRIPTION

12       -h, --help
13              Print help and exit
14
15       --full-help
16              Print help, including hidden options, and exit
17
18       -V, --version
19              Print version and exit
20
21       -v, --verbose[=INT]
22              Print more information  (default=`0')
23
24       -r, --reader=STRING
25              Only use a matching reader  (default=`Yubikey')
26
27       -k, --key[=STRING]
28              Management  key  to  use,  if  no value is specified key will be
29              asked                                                        for
30              (default=`010203040506070801020304050607080102030405060708')
31
32       -a, --action=ENUM
33              Action   to   take    (possible   values="version",  "generate",
34              "set-mgm-key",     "reset",     "pin-retries",     "import-key",
35              "import-certificate",  "set-chuid", "request-certificate", "ver‐
36              ify-pin",  "change-pin",  "change-puk",  "unblock-pin",   "self‐
37              sign-certificate",   "delete-certificate",   "read-certificate",
38              "status",  "test-signature",  "test-decipher",   "list-readers",
39              "set-ccc", "write-object", "read-object", "attest")
40
41              Multiple  actions  may  be given at once and will be executed in
42              order for example --action=verify-pin  --action=request-certifi‐
43              cate
44
45       -s, --slot=ENUM
46              What  key slot to operate on  (possible values="9a", "9c", "9d",
47              "9e", "82", "83", "84", "85",  "86",  "87",  "88",  "89",  "8a",
48              "8b",  "8c",  "8d",  "8e",  "8f",  "90", "91", "92", "93", "94",
49              "95", "f9")
50
51              9a is for PIV Authentication 9c is for  Digital  Signature  (PIN
52              always  checked) 9d is for Key Management 9e is for Card Authen‐
53              tication (PIN never checked) 82-95 is for Retired Key Management
54              f9 is for Attestation
55
56       -A, --algorithm=ENUM
57              What  algorithm  to  use  (possible values="RSA1024", "RSA2048",
58              "ECCP256", "ECCP384" default=`RSA2048')
59
60       -H, --hash=ENUM
61              Hash to use for signatures  (possible  values="SHA1",  "SHA256",
62              "SHA384", "SHA512" default=`SHA256')
63
64       -n, --new-key=STRING
65              New management key to use for action set-mgm-key, if omitted key
66              will be asked for
67
68       --pin-retries=INT
69              Number of retries before the pin code is blocked
70
71       --puk-retries=INT
72              Number of retries before the puk code is blocked
73
74       -i, --input=STRING
75              Filename to use as input, - for stdin  (default=`-')
76
77       -o, --output=STRING
78              Filename to use as output, - for stdout (default=`-')
79
80       -K, --key-format=ENUM
81              Format of the key being  read/written   (possible  values="PEM",
82              "PKCS12", "GZIP", "DER", "SSH" default=`PEM')
83
84       -p, --password=STRING
85              Password for decryption of private key file, if omitted password
86              will be asked for
87
88       -S, --subject=STRING
89              The subject to use for certificate request
90
91              The    subject    must    be    written    as:    /CN=host.exam‐
92              ple.com/OU=test/O=example.com/
93
94       --serial=INT
95              Serial number of the self-signed certificate
96
97       --valid-days=INT
98              Time   (in  days)  until  the  self-signed  certificate  expires
99              (default=`365')
100
101       -P, --pin=STRING
102              Pin/puk code for verification, if omitted pin/puk will be  asked
103              for
104
105       -N, --new-pin=STRING
106              New  pin/puk code for changing, if omitted pin/puk will be asked
107              for
108
109       --pin-policy=ENUM
110              Set pin policy for action generate or import-key.   Only  avail‐
111              able on YubiKey 4  (possible values="never", "once", "always")
112
113       --touch-policy=ENUM
114              Set touch policy for action generate, import-key or set-mgm-key.
115              Only available on YubiKey 4 (possible values="never",  "always",
116              "cached")
117
118       --id=INT
119              Id of object for write/read object
120
121       -f, --format=ENUM
122              Format  of  data  for write/read object  (possible values="hex",
123              "base64", "binary" default=`hex')
124
125       --attestation
126              Add attestation cross-signature  (default=off)
127
128
129
130yubico-piv-tool 2.1.1              July 2020                YUBICO-PIV-TOOL(1)
Impressum