Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pkcs11-tool(1) [centos man page]

PKCS11-TOOL(1)							   OpenSC Tools 						    PKCS11-TOOL(1)

pkcs11-tool - utility for managing and using PKCS #11 security tokens SYNOPSIS
The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it. OPTIONS
--attr-from path Extract information from path (DER-encoded certificate file) and create the corresponding attributes when writing an object to the token. Example: the certificate subject name is used to create the CKA_SUBJECT attribute. --change-pin, -c Change the user PIN on the token --hash, -h Hash some data. --id id, -d id Specify the id of the object to operate on. --init-pin Initializes the user PIN. This option differs from --change-pin in that it sets the user PIN for the first time. Once set, the user PIN can be changed using --change-pin. --init-token Initialize a token: set the token label as well as a Security Officer PIN (the label must be specified using --label). --input-file path, -i path Specify the path to a file for input. --keypairgen, -k Generate a new key pair (public and private pair.) --label name, -a name Specify the name of the object to operate on (or the token label when --init-token is used). --list-mechanisms, -M Display a list of mechanisms supported by the token. --list-objects, -O Display a list of objects. --list-slots, -L Display a list of available slots on the token. --login, -l Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line. --mechanism mechanism, -m mechanism Use the specified mechanism for token operations. See -M for a list of mechanisms supported by your token. --module mod Specify a PKCS#11 module (or library) to load. --moz-cert path, -z path Test a Mozilla-like keypair generation and certificate request. Specify the path to the certificate file. --output-file path, -o path Specify the path to a file for output. --pin pin, -p pin Use the given pin for token operations. WARNING: Be careful using this option as other users may be able to read the command line from the system or if it is embedded in a script. This option will also set the --login option. --set-id id, -e id Set the CKA_ID of the object. --show-info, -I Display general token information. --sign, -s Sign some data. --slot id Specify the id of the slot to use. --slot-description description Specify the description of the slot to use. --slot-index index Specify the index of the slot to use. --token-label label Specify the label of token. Will be used the first slot, that has the inserted token with this label. --so-pin pin Use the given pin as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc). The same warning as --pin also applies here. --test, -t Perform some tests on the token. This option is most useful when used with either --login or --pin. --type type, -y type Specify the type of object to operate on. Examples are cert, privkey and pubkey. --verbose, -v Cause pkcs11-tool to be more verbose. NB! This does not affect OpenSC debugging level! To set OpenSC PKCS#11 module into debug mode, set the OPENSC_DEBUG environment variable to a non-zero number. --write-object id, -w path Write a key or certificate object to the token. path points to the DER-encoded certificate or key file. opensc 06/17/2014 PKCS11-TOOL(1)

Check Out this Related Man Page

SOFTHSM(1)						      General Commands Manual							SOFTHSM(1)

softhsm - support tool for libsofthsm SYNOPSIS
softhsm --show-slots softhsm --init-token --slot number --label text [--so-pin PIN --pin PIN] softhsm --import path [--file-pin PIN] --slot number --pin PIN --label text --id hex softhsm --export path [--file-pin PIN] --slot number --pin PIN --id hex softhsm --optimize --slot number --pin PIN softhsm --trusted bool --slot number [--so-pin PIN] --type text [--label text || --id hex] DESCRIPTION
softhsm is a support tool for libsofthsm. Read the sections below to get more information on the libsofthsm and PKCS#11. Most applica- tions assumes that the token they want to use is already initialized. It is then up to the user to initialize the PKCS#11 token. This is done by using the PKCS#11 interface, but instead of writing your own tool you can use the softhsm tool. Keys are usually created directly in the token, but the user may want to use an existing key pair. Keys can be imported to a token by using the PKCS#11 interface, but this tool can also be used if the user has the key pair in a PKCS#8 file. If you need to convert keys from BIND .private-key format over to PKCS#8, one can use softhsm-keyconv. A key may not always be exportable through the PKCS#11 interface, but the export command can pull the key data directly from the token database. The libary libsofthsm, known as SoftHSM, provides cryptographic functionality by using the PKCS#11 API. It was developed as a part of the OpenDNSSEC project, thus designed to meet the requirements of OpenDNSSEC, but can also work together with other software that want to use the functionality of the PKCS#11 API. SoftHSM is a software implementation of a generic cryptographic device with a PKCS#11 interface. These devices are often called tokens. Read in the manual softhsm.conf(5) on how to create these tokens and how they are added to a slot in SoftHSM. The PKCS#11 API can be used to handle and store cryptographic keys. This interface specifies how to communicate with cryptographic devices such as HSMs (Hardware Security Modules) and smart cards. The purpose of these devices is, among others, to generate cryptographic keys and sign information without revealing private-key material to the outside world. They are often designed to perform well on these spe- cific tasks compared to ordinary processes in a normal computer. OPTIONS
--show-slots Display all the available slots and their current status. --init-token Initialize the token at a given slot. If the token is already initialized then this command will reinitialize it, thus erasing all the objects in the token. The matching Security Officer (SO) PIN must also be provided when doing reinitialization. Use with --slot, --label. --so-pin, and --pin. --import path Import a key pair from the given path. The file must be in PKCS#8-format. Use with --file-pin, --slot, --pin, --label, and --id. --export path Export a key pair to the given path. The file will be written in PKCS#8-format. Cannot be used in combination with --module, since the keys are extracted from the SoftHSM database, thus not using PKCS#11. Use with --file-pin, --slot, --pin, and --id. --optimize Clean up leftovers (session objects in the database) from applications that haven't closed down properly. Cannot be used in combina- tion with --module. Use with --slot and --pin. --trusted bool Mark the object as trusted. true or false. Use with --slot, --so-pin, --type, and ( --id, or --label). --file-pin PIN The PIN will be used to encrypt or decrypt the PKCS#8 file depending if we are writing or reading. If not given then the PKCS#8 file is assumed to be unencrypted. --force Use this option to override the warnings and force the given action. --help, -h Show the help information. --id hex Choose an ID of the key pair. The ID is in hexadecimal with a variable length. Use with --force when importing a key pair if the ID already exists. --label text Defines the label of the object or the token. --module path Use another PKCS#11 library than SoftHSM. --pin PIN The PIN for the normal user. --slot number The slot where the token is located. --so-pin PIN The PIN for the Security Officer (SO). --type text The type of object. CKO_PUBLIC_KEY or CKO_CERTIFICATE. --version, -v Show the version info. EXAMPLES
The token can be initialized using this command: softhsm --init-token --slot 1 --label "A token" A key pair can be imported using the softhsm tool where you specify the path to the key file, slot number, label and ID of the new objects, and the user PIN. The file must be in PKCS#8 format. softhsm --import key1.pem --slot 1 --label "My key" --id A1B2 --pin 123456 (Add, --file-pin PIN, if the key file is encrypted.) All keys can be exported from the token database by using the softhsm tool. The file will be exported in PKCS#8 format. softhsm --export key2.pem --slot 1 --id A1B2 --pin 123456 (Add, --file-pin PIN, if you want to output an encrypted file.) A token can be backed up by issuing the command: sqlite3 <PATH TO YOUR TOKEN> ".backup copy.db" Move the file "copy.db" to a secure location. To restore the token, just copy the file back to the system and add it to a slot in the con- figuration (softhsm.conf). ENVIRONMENT
SOFTHSM_CONF When defined, the value will be used as path to the configuration file. FILES
/etc/softhsm/softhsm.conf This configuration file handles the slots and the tokens. See softhsm.conf(5) for more information. AUTHOR
Written by Rickard Bellgrim. SEE ALSO
softhsm-keyconv(1), softhsm.conf(5) SoftHSM 13 June 2011 SOFTHSM(1)
Man Page