Unix/Linux Go Back    


CentOS 7.0 - man page for p11tool (centos section 1)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


p11tool(1)				  User Commands 			       p11tool(1)

NAME
       p11tool - GnuTLS PKCS #11 tool

SYNOPSIS
       p11tool [-flag [value]]... [--opt-name[[=| ]value]]... [url]

       Operands and options may be intermixed.	They will be reordered.

DESCRIPTION
       Program that allows handling data from PKCS #11 smart cards and security modules.

       To  use	PKCS #11 tokens with gnutls the configuration file /etc/gnutls/pkcs11.conf has to
       exist and contain a number of lines of the form 'load=/usr/lib/opensc-pkcs11.so'.   Alter-
       natively the p11-kit configuration files have to be setup.

       To provide the PIN for all the operations below use the environment variable GNUTLS_PIN.

OPTIONS
       -d number, --debug=number
	      Enable debugging..  This option takes an integer number as its argument.	The value
	      of number is constrained to being:
		  in the range	0 through 9999

	      Specifies the debug level.

       --outfile=string
	      Output file.

       --list-tokens
	      List all available tokens.

       --export
	      Export the object specified by the URL.

       --list-mechanisms
	      List all available mechanisms in a token.

       --list-all
	      List all available objects in a token.

       --list-all-certs
	      List all available certificates in a token.

       --list-certs
	      List all certificates that have an associated private key.

       --list-all-privkeys
	      List all available private keys in a token.

       --list-all-trusted
	      List all available certificates marked as trusted.

       --initialize
	      Initializes a PKCS #11 token.

       --write
	      Writes the loaded objects to a PKCS #11 token.

	      It can be used to write private keys, certificates or secret keys to a token.

       --delete
	      Deletes the objects matching the PKCS #11 URL.

       --generate-rsa
	      Generate an RSA private-public key pair.

	      Generates an RSA private-public key pair on the specified token.

       --generate-dsa
	      Generate an RSA private-public key pair.

	      Generates an RSA private-public key pair on the specified token.

       --generate-ecc
	      Generate an RSA private-public key pair.

	      Generates an RSA private-public key pair on the specified token.

       --label=string
	      Sets a label for the write operation.

       --trusted, --no-trusted
	      Marks the object to be written as trusted.  The no-trusted form will disable the
	      option.

       --private, --no-private
	      Marks the object to be written as private.  The no-private form will disable the
	      option.  This option is enabled by default.

	      The written object will require a PIN to be used.

       --login, --no-login
	      Force login to token.  The no-login form will disable the option.

       --detailed-url, --no-detailed-url
	      Print detailed URLs.  The no-detailed-url form will disable the option.

       --secret-key=string
	      Provide a hex encoded secret key.

       --load-privkey=file
	      Private key file to use.

       --load-pubkey=file
	      Public key file to use.

       --load-certificate=file
	      Certificate file to use.

       -8, --pkcs8
	      Use PKCS #8 format for private keys.

       --bits=number
	      Specify the number of bits for key generate.  This option takes an integer number
	      as its argument.

       --sec-param=security parameter
	      Specify the security level.

	      This is alternative to the bits option. Available options are [low, legacy, normal,
	      high, ultra].

       --inder, --no-inder
	      Use DER/RAW format for input.  The no-inder form will disable the option.

	      Use DER/RAW format for input certificates and private keys.

       --inraw
	      This is an alias for the --inder option.

       --provider=file
	      Specify the PKCS #11 provider library.

	      This will override the default options in /etc/gnutls/pkcs11.conf

       -h, --help
	      Display usage information and exit.

       -!, --more-help
	      Pass the extended usage information through a pager.

       -v [{v|c|n}], --version[={v|c|n}]
	      Output version of program and exit.  The default mode is `v', a simple version.
	      The `c' mode will print copyright information and `n' will print the full copyright
	      notice.

EXAMPLES
       To view all tokens in your system use:
	   $ p11tool --list-tokens

       To view all objects in a token use:
	   $ p11tool --login --list-all "pkcs11:TOKEN-URL"

       To store a private key and a certificate in a token run:
	   $ p11tool --login --write "pkcs11:URL" --load-privkey key.pem	   --label "Mykey"
	   $ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem		--label "Mykey"
       Note that some tokens require the same label to be used for the certificate and its corre-
       sponding private key.

       To generate an RSA private key inside the token use:
	   $ p11tool --login --generate-rsa --bits 1024 --label "MyNewKey"	     --outfile MyNewKey.pub "pkcs11:TOKEN-URL"
       The bits parameter in the above example is explicitly set because some tokens only support
       a limited number of bits. The output file is the corresponding public key. This key can be
       used to general a certificate request with certtool.
	   certtool --generate-request --load-privkey "pkcs11:KEY-URL"	  --load-pubkey MyNewKey.pub --outfile request.pem

EXIT STATUS
       One of the following exit values will be returned:

       0 (EXIT_SUCCESS)
	      Successful program execution.

       1 (EXIT_FAILURE)
	      The operation failed or the command syntax was not valid.

       70 (EX_SOFTWARE)
	      libopts had an internal operational error.  Please report it to autogen-
	      users@lists.sourceforge.net.  Thank you.

SEE ALSO
	   certtool (1)

AUTHORS
       Nikos Mavrogiannopoulos, Simon Josefsson and others; see /usr/share/doc/gnutls-bin/AUTHORS
       for a complete list.

COPYRIGHT
       Copyright (C) 2000-2012 Free Software Foundation all rights reserved.  This program is
       released under the terms of the GNU General Public License, version 3 or later.

BUGS
       Please send bug reports to: bugs@gnutls.org

NOTES
       This manual page was AutoGen-erated from the p11tool option definitions.

3.1.18					   20 Dec 2013				       p11tool(1)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 05:48 AM.