1YUBICO-PIV-TOOL(1) User Commands YUBICO-PIV-TOOL(1)
2
3
4
6 yubico-piv-tool - Tool for managing Personal Identity Verification cre‐
7 dentials on Yubikeys
8
10 yubico-piv-tool [OPTION]...
11
13 -h, --help
14 Print help and exit
15
16 --full-help
17 Print help, including hidden options, and exit
18
19 -V, --version
20 Print version and exit
21
22 -v, --verbose[=INT]
23 Print more information (default=`0')
24
25 -r, --reader=STRING
26 Only use a matching reader (default=`Yubikey')
27
28 -k, --key[=STRING]
29 Management key to use, if no value is specified key will be
30 asked for (de‐
31 fault=`010203040506070801020304050607080102030405060708')
32
33 -a, --action=ENUM
34 Action to take (possible values="version", "generate",
35 "set-mgm-key", "reset", "pin-retries", "import-key", "im‐
36 port-certificate", "set-chuid", "request-certificate", "ver‐
37 ify-pin", "change-pin", "change-puk", "unblock-pin", "self‐
38 sign-certificate", "delete-certificate", "read-certificate",
39 "status", "test-signature", "test-decipher", "list-readers",
40 "set-ccc", "write-object", "read-object", "attest")
41
42 Multiple actions may be given at once and will be executed in
43 order for example --action=verify-pin --action=request-certifi‐
44 cate
45
46 -s, --slot=ENUM
47 What key slot to operate on (possible values="9a", "9c", "9d",
48 "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a",
49 "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94",
50 "95", "f9")
51
52 9a is for PIV Authentication 9c is for Digital Signature (PIN
53 always checked) 9d is for Key Management 9e is for Card Authen‐
54 tication (PIN never checked) 82-95 is for Retired Key Management
55 f9 is for Attestation
56
57 -A, --algorithm=ENUM
58 What algorithm to use (possible values="RSA1024", "RSA2048",
59 "ECCP256", "ECCP384" default=`RSA2048')
60
61 -H, --hash=ENUM
62 Hash to use for signatures (possible values="SHA1", "SHA256",
63 "SHA384", "SHA512" default=`SHA256')
64
65 -n, --new-key=STRING
66 New management key to use for action set-mgm-key, if omitted key
67 will be asked for
68
69 --pin-retries=INT
70 Number of retries before the pin code is blocked
71
72 --puk-retries=INT
73 Number of retries before the puk code is blocked
74
75 -i, --input=STRING
76 Filename to use as input, - for stdin (default=`-')
77
78 -o, --output=STRING
79 Filename to use as output, - for stdout (default=`-')
80
81 -K, --key-format=ENUM
82 Format of the key being read/written (possible values="PEM",
83 "PKCS12", "GZIP", "DER", "SSH" default=`PEM')
84
85 -p, --password=STRING
86 Password for decryption of private key file, if omitted password
87 will be asked for
88
89 -S, --subject=STRING
90 The subject to use for certificate request
91
92 The subject must be written as: /CN=host.exam‐
93 ple.com/OU=test/O=example.com/
94
95 --serial=INT
96 Serial number of the self-signed certificate
97
98 --valid-days=INT
99 Time (in days) until the self-signed certificate expires (de‐
100 fault=`365')
101
102 -P, --pin=STRING
103 Pin/puk code for verification, if omitted pin/puk will be asked
104 for
105
106 -N, --new-pin=STRING
107 New pin/puk code for changing, if omitted pin/puk will be asked
108 for
109
110 --pin-policy=ENUM
111 Set pin policy for action generate or import-key. Only avail‐
112 able on YubiKey 4 (possible values="never", "once", "always")
113
114 --touch-policy=ENUM
115 Set touch policy for action generate, import-key or set-mgm-key.
116 Only available on YubiKey 4 (possible values="never", "always",
117 "cached")
118
119 --id=INT
120 Id of object for write/read object
121
122 -f, --format=ENUM
123 Format of data for write/read object (possible values="hex",
124 "base64", "binary" default=`hex')
125
126 --attestation
127 Add attestation cross-signature (default=off)
128
129 -m, --new-key-algo=ENUM
130 New management key algorithm to use for action set-mgm-key
131 (possible values="TDES", "AES128", "AES192", "AES256" de‐
132 fault=`TDES')
133
134
135
136yubico-piv-tool 2.3.0 March 2022 YUBICO-PIV-TOOL(1)