p11tool(1) General Commands Manual p11tool(1)NAME
p11tool - Manipulate PKCS #11 tokens.
SYNOPSIS
p11tool [options]
DESCRIPTION
Export/import data from PKCS #11 tokens. To use PKCS #11 tokens with gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and
contain a number of lines of the form "load=/usr/lib/opensc-pkcs11.so".
OPTIONS
Program control options
-d, --debug LEVEL
Specify the debug level. Default is 1.
-h, --help
Shows this help text
Generic options
--login
Force login to the token for the intended operation.
--provider MODULE
In addition to /etc/gnutls/pkcs11.conf, load the specified module.
--outfile FILE
Print output to FILE.
--inder, --inraw
Input is DER formatted.
Getting information on available X.509 certificates
--list-tokens
Prints all available tokens.
--initialize URL
Initializes (formats) the specified by the URL token. Note that several tokens do not support this fascility.
Getting information on available X.509 certificates
--list-all-certs
Prints all available certificates.
--list-certs
Prints all certificates that have a corresponding private key stored in the token.
--list-trusted
Prints all certificates that have been marked as trusted.
Getting information on private keys
--list-privkeys
Prints all available private keys.
Handling generic objects
--export URL
Exports the object (e.g. certificate) specified by the URL.
--delete URL
Deletes the object specified by the URL. Note that several tokens do not support deletion.
--detailed-url
When printing URLs print them in a detailed (to the PKCS #11 module used) form.
--no-detailed-url
When printing URLs, do not print details on the module used.
Storing objects
--write URL
Flag to set when writing an object. Requires one of --load-privkey, --load-pubkey, --load-certificate or --secret-key options.
--load-privkey
Load a private key for the write operations.
--load-pubkey
Load an X.509 subjectPublicKey for the write operation.
--load-certificate
Load an X.509 certificate for the write operation.
--secret-key
Specify a hex encoded secret key for the write operation.
--trusted
The object stored will be marked as trusted.
--label
The label of the object stored.
Controlling output
-8, --pkcs8
Use PKCS #8 format for private keys.
EXAMPLES
To store a private key and certificate, run:
$ p11tool --login --write "pkcs11:XXX" --load-privkey key.pem --label "MyKey"
$ p11tool --login --write "pkcs11:XXX" --load-certificate cert.pem --label "MyCert"
To view all objects in a token, use:
$ p11tool --login --list-all
AUTHOR
Nikos Mavrogiannopoulos <nmav@gnutls.org> and others; see /usr/share/doc/gnutls-bin/AUTHORS for a complete list.
November 11th 2010 p11tool(1)
Check Out this Related Man Page
PKCS11-TOOL(1) OpenSC tools PKCS11-TOOL(1)NAME
pkcs11-tool - utility for managing and using PKCS #11 security tokens
SYNOPSIS
pkcs11-tool [OPTIONS]
DESCRIPTION
The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens. Users can list and read
PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it.
OPTIONS --login, -l
Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line.
--pin pin, -p pin
Use the given pin for token operations. WARNING: Be careful using this option as other users may be able to read the command line from
the system or if it is embedded in a script.
This option will also set the --login option.
--so-pin pin
Use the given pin as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc). The same
warning as --pin also applies here.
--init-token
Initializes a token: set the token label as well as a Security Officer PIN (the label must be specified using --label).
--init-pin
Initializes the user PIN. This option differs from --change-pin in that it sets the user PIN for the first time. Once set, the user PIN
can be changed using --change-pin.
--change-pin, -c
Change the user PIN on the token
--test, -t
Performs some tests on the token. This option is most useful when used with either --login or --pin.
--show-info, -I
Displays general token information.
--list-slots, -L
Displays a list of available slots on the token.
--list-mechanisms, -M
Displays a list of mechanisms supported by the token.
--list-objects, -O
Displays a list of objects.
--sign, s
Sign some data.
--hash, -h
Hash some data.
--mechanism mechanism, -m mechanism
Use the specified mechanism for token operations. See -M for a list of mechanisms supported by your token.
--keypairgen, -k
Generate a new key pair (public and private pair.)
--write-object id, -w path
Write a key or certificate object to the token. path points to the DER-encoded certificate or key file.
--type type, -y type
Specify the type of object to operate on. Examples are cert, privkey and pubkey.
--id id, -d id
Specify the id of the object to operate on.
--label name, -a name
Specify the name of the object to operate on (or the token label when --init-token is used).
--slot id
Specify the id of the slot to use.
--slot-description description
Specify the description of the slot to use.
--slot-index index
Specify the index of the slot to use.
--token-label label
Specify the label of token. Will be used the first slot, that has the inserted token with this label.
--set-id id, -e id
Set the CKA_ID of the object.
--attr-from path
Extract information from path (DER-encoded certificate file) and create the corresponding attributes when writing an object to the
token. Example: the certificate subject name is used to create the CKA_SUBJECT attribute.
--input-file path, -i path
Specify the path to a file for input.
--output-file path, -o path
Specify the path to a file for output.
--module mod
Specify a PKCS#11 module (or library) to load.
--moz-cert path, -z path
Tests a Mozilla-like keypair generation and certificate request. Specify the path to the certificate file.
--verbose, -v
Causes pkcs11-tool to be more verbose.
NB! This does not affect OpenSC debugging level! To set OpenSC PKCS#11 module into debug mode, set the OPENSC_DEBUG environment
variable to a non-zero number.
opensc 06/03/2012 PKCS11-TOOL(1)