pkcs11-tool1openscpkcs11-toolutility for managing and using PKCS #11 security tokensSynopsispkcs11-tool [OPTIONS]
Description
The pkcs11-tool utility is used to manage the
data objects on smart cards and similar PKCS #11 security tokens.
Users can list and read PINs, keys and certificates stored on the
token. User PIN authentication is performed for those operations
that require it.
OptionsAuthenticate to the token before performing
other operations. This option is not needed if a PIN is
provided on the command line.pin,
pinUse the given pin for
token operations. WARNING: Be careful using this option
as other users may be able to read the command line from
the system or if it is embedded in a script.This option will also set
the option.pinUse the given pin as the
Security Officer PIN for some token operations (token
initialization, user PIN initialization, etc). The same
warning as also applies here.Initializes a token: set the token label as
well as a Security Officer PIN (the label must be specified
using ).Initializes the user PIN. This option
differs from --change-pin in that it sets the user PIN
for the first time. Once set, the user PIN can be changed
using .Change the user PIN on the tokenPerforms some tests on the token. This
option is most useful when used with either
or .Displays general token information.Displays a list of available slots on the token.Displays a list of mechanisms supported by the token.Displays a list of objects.Sign some data.Hash some data.mechanism,
mechanismUse the specified mechanism
for token operations. See for a list
of mechanisms supported by your token.Generate a new key pair (public and private pair.)id,
idWrite a key or certificate object to the token.type,
typeSpecify the type of object to operate on.
Examples are cert, privkey
and pubkey.id,
idSpecify the id of the object to operate on.name,
nameSpecify the name of the object to operate on
(or the token label when
is used).idSpecify the id of the slot to use.nameSpecify the name of the slot to use.id,
idSet the CKA_ID of the object.pathExtract information from path
(DER-encoded certificate file) and create the corresponding
attributes when writing an object to the token. Example: the
certificate subject name is used to create the CKA_SUBJECT
attribute.path,
pathSpecify the path to a file for input.path,
pathSpecify the path to a file for output.modSpecify a PKCS#11 module (or library) to
load.path,
pathTests a Mozilla-like keypair generation
and certificate request. Specify the path
to the certificate file.Causes pkcs11-tool to be
more verbose.NB! This does not affect
OpenSC debugging level! To set OpenSC PKCS#11 module into debug
mode, set the OPENSC_DEBUG environment variable to a
non-zero number.See alsoopensc(7)