PKCS11-TOOL(1)
NAME
pkcs11-tool - utility for managing and using PKCS #11 security tokens
SYNOPSIS
pkcs11-tool [OPTIONS]
DESCRIPTION
The pkcs11-tool utility is used to manage the data objects on smart
cards and similar PKCS #11 security tokens. Users can list and read
PINs, keys and certificates stored on the token. User PIN
authentication is performed for those operations that require it.
OPTIONS
- --login, -l
- Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line.
- --pin pin, -p pin
- Use the given pin for token operations. WARNING: Be careful using
this option as other users may be able to read the command line
from the system or if it is embedded in a script. - This option will also set the --login option.
- --so-pin pin
- Use the given pin as the Security Officer PIN for some token
operations (token initialization, user PIN initialization, etc).
The same warning as --pin also applies here. - --init-token
- Initializes a token: set the token label as well as a Security
Officer PIN (the label must be specified using --label). - --init-pin
- Initializes the user PIN. This option differs from --change-pin in
that it sets the user PIN for the first time. Once set, the user
PIN can be changed using --change-pin. - --change-pin, -c
- Change the user PIN on the token
- --test, -t
- Performs some tests on the token. This option is most useful when
used with either --login or --pin. - --show-info, -I
- Displays general token information.
- --list-slots, -L
- Displays a list of available slots on the token.
- --list-mechanisms, -M
- Displays a list of mechanisms supported by the token.
- --list-objects, -O
- Displays a list of objects.
- --sign, s
- Sign some data.
- --hash, -h
- Hash some data.
- --mechanism mechanism, -m mechanism
- Use the specified mechanism for token operations. See -M for a list of mechanisms supported by your token.
- --keypairgen, -k
- Generate a new key pair (public and private pair.)
- --write-object id, -w id
- Write a key or certificate object to the token.
- --type type, -y type
- Specify the type of object to operate on. Examples are cert, privkey and pubkey.
- --id id, -d id
- Specify the id of the object to operate on.
- --label name, -a name
- Specify the name of the object to operate on (or the token label
when --init-token is used). - --slot id
- Specify the id of the slot to use.
- --slot-id name
- Specify the name of the slot to use.
- --set-id id, -e id
- Set the CKA_ID of the object.
- --attr-from path
- Extract information from path (DER-encoded certificate file) and
create the corresponding attributes when writing an object to the
token. Example: the certificate subject name is used to create the CKA_SUBJECT attribute. - --input-file path, -i path
- Specify the path to a file for input.
- --output-file path, -o path
- Specify the path to a file for output.
- --module mod
- Specify a PKCS#11 module (or library) to load.
- --moz-cert path, -z path
- Tests a Mozilla-like keypair generation and certificate request.
Specify the path to the certificate file. - --verbose, -v
- Causes pkcs11-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.