1YUBICO-PIV-TOOL(1)               User Commands              YUBICO-PIV-TOOL(1)
2
3
4

NAME

6       yubico-piv-tool - Tool for managing Personal Identity Verification cre‐
7       dentials on Yubikeys
8

SYNOPSIS

10       yubico-piv-tool [OPTION]...
11

DESCRIPTION

13       -h, --help
14              Print help and exit
15
16       --full-help
17              Print help, including hidden options, and exit
18
19       -V, --version
20              Print version and exit
21
22       -v, --verbose[=INT]
23              Print more information  (default=`0')
24
25       -r, --reader=STRING
26              Only use a matching reader  (default=`Yubikey')
27
28       -k, --key[=STRING]
29              Management key to use, if no value  is  specified  key  will  be
30              asked                          for                          (de‐
31              fault=`010203040506070801020304050607080102030405060708')
32
33       -a, --action=ENUM
34              Action  to   take    (possible   values="version",   "generate",
35              "set-mgm-key",   "reset",   "pin-retries",   "import-key",  "im‐
36              port-certificate",  "set-chuid",  "request-certificate",   "ver‐
37              ify-pin",   "change-pin",  "change-puk",  "unblock-pin",  "self‐
38              sign-certificate",   "delete-certificate",   "read-certificate",
39              "status",   "test-signature",  "test-decipher",  "list-readers",
40              "set-ccc", "write-object", "read-object", "attest")
41
42              Multiple actions may be given at once and will  be  executed  in
43              order  for example --action=verify-pin --action=request-certifi‐
44              cate
45
46       -s, --slot=ENUM
47              What key slot to operate on  (possible values="9a", "9c",  "9d",
48              "9e",  "82",  "83",  "84",  "85",  "86", "87", "88", "89", "8a",
49              "8b", "8c", "8d", "8e", "8f",  "90",  "91",  "92",  "93",  "94",
50              "95", "f9")
51
52              9a  is  for  PIV Authentication 9c is for Digital Signature (PIN
53              always checked) 9d is for Key Management 9e is for Card  Authen‐
54              tication (PIN never checked) 82-95 is for Retired Key Management
55              f9 is for Attestation
56
57       -A, --algorithm=ENUM
58              What algorithm to use   (possible  values="RSA1024",  "RSA2048",
59              "ECCP256", "ECCP384" default=`RSA2048')
60
61       -H, --hash=ENUM
62              Hash  to  use for signatures  (possible values="SHA1", "SHA256",
63              "SHA384", "SHA512" default=`SHA256')
64
65       -n, --new-key=STRING
66              New management key to use for action set-mgm-key, if omitted key
67              will be asked for
68
69       --pin-retries=INT
70              Number of retries before the pin code is blocked
71
72       --puk-retries=INT
73              Number of retries before the puk code is blocked
74
75       -i, --input=STRING
76              Filename to use as input, - for stdin  (default=`-')
77
78       -o, --output=STRING
79              Filename to use as output, - for stdout (default=`-')
80
81       -K, --key-format=ENUM
82              Format  of  the  key being read/written  (possible values="PEM",
83              "PKCS12", "GZIP", "DER", "SSH" default=`PEM')
84
85       -p, --password=STRING
86              Password for decryption of private key file, if omitted password
87              will be asked for
88
89       -S, --subject=STRING
90              The subject to use for certificate request
91
92              The    subject    must    be    written    as:    /CN=host.exam‐
93              ple.com/OU=test/O=example.com/
94
95       --serial=INT
96              Serial number of the self-signed certificate
97
98       --valid-days=INT
99              Time (in days) until the self-signed certificate  expires   (de‐
100              fault=`365')
101
102       -P, --pin=STRING
103              Pin/puk  code for verification, if omitted pin/puk will be asked
104              for
105
106       -N, --new-pin=STRING
107              New pin/puk code for changing, if omitted pin/puk will be  asked
108              for
109
110       --pin-policy=ENUM
111              Set  pin  policy for action generate or import-key.  Only avail‐
112              able on YubiKey 4  (possible values="never", "once", "always")
113
114       --touch-policy=ENUM
115              Set touch policy for action generate, import-key or set-mgm-key.
116              Only  available on YubiKey 4 (possible values="never", "always",
117              "cached")
118
119       --id=INT
120              Id of object for write/read object
121
122       -f, --format=ENUM
123              Format of data for write/read  object   (possible  values="hex",
124              "base64", "binary" default=`hex')
125
126       --attestation
127              Add attestation cross-signature  (default=off)
128
129       -m, --new-key-algo=ENUM
130              New  management  key  algorithm  to  use  for action set-mgm-key
131              (possible  values="TDES",  "AES128",  "AES192",   "AES256"   de‐
132              fault=`TDES')
133
134
135
136yubico-piv-tool 2.3.0              July 2022                YUBICO-PIV-TOOL(1)
Impressum