1YUBICO-PIV-TOOL(1) User Commands YUBICO-PIV-TOOL(1)
2
6 yubico-piv-tool - manual page for yubico-piv-tool 2.2.0
7
9 yubico-piv-tool [OPTION]...
10
12 -h, --help
13 Print help and exit
14 --full-help
16 Print help, including hidden options, and exit
17 -V, --version
19 Print version and exit
20 -v, --verbose[=INT]
22 Print more information (default=`0')
23 -r, --reader=STRING
25 Only use a matching reader (default=`Yubikey')
26 -k, --key[=STRING]
28 Management key to use, if no value is specified key will be
29 asked for (de‐
30 fault=`010203040506070801020304050607080102030405060708')
31 -a, --action=ENUM
33 Action to take (possible values="version", "generate",
34 "set-mgm-key", "reset", "pin-retries", "import-key", "im‐
35 port-certificate", "set-chuid", "request-certificate", "ver‐
36 ify-pin", "change-pin", "change-puk", "unblock-pin", "self‐
37 sign-certificate", "delete-certificate", "read-certificate",
38 "status", "test-signature", "test-decipher", "list-readers",
39 "set-ccc", "write-object", "read-object", "attest")
40 Multiple actions may be given at once and will be executed in
42 order for example --action=verify-pin --action=request-certifi‐
43 cate
44 -s, --slot=ENUM
46 What key slot to operate on (possible values="9a", "9c", "9d",
47 "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a",
48 "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94",
49 "95", "f9")
50 9a is for PIV Authentication 9c is for Digital Signature (PIN
52 always checked) 9d is for Key Management 9e is for Card Authen‐
53 tication (PIN never checked) 82-95 is for Retired Key Management
54 f9 is for Attestation
55 -A, --algorithm=ENUM
57 What algorithm to use (possible values="RSA1024", "RSA2048",
58 "ECCP256", "ECCP384" default=`RSA2048')
59 -H, --hash=ENUM
61 Hash to use for signatures (possible values="SHA1", "SHA256",
62 "SHA384", "SHA512" default=`SHA256')
63 -n, --new-key=STRING
65 New management key to use for action set-mgm-key, if omitted key
66 will be asked for
67 --pin-retries=INT
69 Number of retries before the pin code is blocked
70 --puk-retries=INT
72 Number of retries before the puk code is blocked
73 -i, --input=STRING
75 Filename to use as input, - for stdin (default=`-')
76 -o, --output=STRING
78 Filename to use as output, - for stdout (default=`-')
79 -K, --key-format=ENUM
81 Format of the key being read/written (possible values="PEM",
82 "PKCS12", "GZIP", "DER", "SSH" default=`PEM')
83 -p, --password=STRING
85 Password for decryption of private key file, if omitted password
86 will be asked for
87 -S, --subject=STRING
89 The subject to use for certificate request
90 The subject must be written as: /CN=host.exam‐
92 ple.com/OU=test/O=example.com/
93 --serial=INT
95 Serial number of the self-signed certificate
96 --valid-days=INT
98 Time (in days) until the self-signed certificate expires (de‐
99 fault=`365')
100 -P, --pin=STRING
102 Pin/puk code for verification, if omitted pin/puk will be asked
103 for
104 -N, --new-pin=STRING
106 New pin/puk code for changing, if omitted pin/puk will be asked
107 for
108 --pin-policy=ENUM
110 Set pin policy for action generate or import-key. Only avail‐
111 able on YubiKey 4 (possible values="never", "once", "always")
112 --touch-policy=ENUM
114 Set touch policy for action generate, import-key or set-mgm-key.
115 Only available on YubiKey 4 (possible values="never", "always",
116 "cached")
117 --id=INT
119 Id of object for write/read object
120 -f, --format=ENUM
122 Format of data for write/read object (possible values="hex",
123 "base64", "binary" default=`hex')
124 --attestation
126 Add attestation cross-signature (default=off)
127yubico-piv-tool 2.2.0 January 2021 YUBICO-PIV-TOOL(1)