|
Packit |
aea12f |
@node p11tool Invocation
|
|
Packit |
aea12f |
@subsection Invoking p11tool
|
|
Packit |
aea12f |
@pindex p11tool
|
|
Packit |
aea12f |
@ignore
|
|
Packit |
aea12f |
# -*- buffer-read-only: t -*- vi: set ro:
|
|
Packit |
aea12f |
#
|
|
Packit |
aea12f |
# DO NOT EDIT THIS FILE (invoke-p11tool.texi)
|
|
Packit |
aea12f |
#
|
|
Packit |
aea12f |
# It has been AutoGen-ed
|
|
Packit |
aea12f |
# From the definitions ../src/p11tool-args.def
|
|
Packit |
aea12f |
# and the template file agtexi-cmd.tpl
|
|
Packit |
aea12f |
@end ignore
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Program that allows operations on PKCS #11 smart cards
|
|
Packit |
aea12f |
and security modules.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
To use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to be setup.
|
|
Packit |
aea12f |
That is create a .module file in /etc/pkcs11/modules with the contents 'module: /path/to/pkcs11.so'.
|
|
Packit |
aea12f |
Alternatively the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number
|
|
Packit |
aea12f |
of lines of the form 'load=/usr/lib/opensc-pkcs11.so'.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
You can provide the PIN to be used for the PKCS #11 operations with the environment variables
|
|
Packit |
aea12f |
GNUTLS_PIN and GNUTLS_SO_PIN.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This section was generated by @strong{AutoGen},
|
|
Packit |
aea12f |
using the @code{agtexi-cmd} template and the option descriptions for the @code{p11tool} program.
|
|
Packit |
aea12f |
This software is released under the GNU General Public License, version 3 or later.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@anchor{p11tool usage}
|
|
Packit |
aea12f |
@subheading p11tool help/usage (@option{--help})
|
|
Packit |
aea12f |
@cindex p11tool help
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the automatically generated usage text for p11tool.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
The text printed is the same whether selected with the @code{help} option
|
|
Packit |
aea12f |
(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
|
|
Packit |
aea12f |
the usage text by passing it through a pager program.
|
|
Packit |
aea12f |
@code{more-help} is disabled on platforms without a working
|
|
Packit |
aea12f |
@code{fork(2)} function. The @code{PAGER} environment variable is
|
|
Packit |
aea12f |
used to select the program, defaulting to @file{more}. Both will exit
|
|
Packit |
aea12f |
with a status code of 0.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@exampleindent 0
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
p11tool - GnuTLS PKCS #11 tool
|
|
Packit |
aea12f |
Usage: p11tool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [url]
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Tokens:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
--list-tokens List all available tokens
|
|
Packit |
aea12f |
--list-token-urls List the URLs available tokens
|
|
Packit |
aea12f |
--list-mechanisms List all available mechanisms in a token
|
|
Packit |
aea12f |
--initialize Initializes a PKCS #11 token
|
|
Packit |
aea12f |
--initialize-pin Initializes/Resets a PKCS #11 token user PIN
|
|
Packit |
aea12f |
--initialize-so-pin Initializes/Resets a PKCS #11 token security officer PIN.
|
|
Packit |
aea12f |
--set-pin=str Specify the PIN to use on token operations
|
|
Packit |
aea12f |
--set-so-pin=str Specify the Security Officer's PIN to use on token initialization
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Object listing:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
--list-all List all available objects in a token
|
|
Packit |
aea12f |
--list-all-certs List all available certificates in a token
|
|
Packit |
aea12f |
--list-certs List all certificates that have an associated private key
|
|
Packit |
aea12f |
--list-all-privkeys List all available private keys in a token
|
|
Packit |
aea12f |
--list-privkeys an alias for the 'list-all-privkeys' option
|
|
Packit |
aea12f |
--list-keys an alias for the 'list-all-privkeys' option
|
|
Packit |
aea12f |
--list-all-trusted List all available certificates marked as trusted
|
|
Packit |
aea12f |
--export Export the object specified by the URL
|
|
Packit |
aea12f |
- prohibits these options:
|
|
Packit |
aea12f |
export-stapled
|
|
Packit |
aea12f |
export-chain
|
|
Packit |
aea12f |
export-pubkey
|
|
Packit |
aea12f |
--export-stapled Export the certificate object specified by the URL
|
|
Packit |
aea12f |
- prohibits these options:
|
|
Packit |
aea12f |
export
|
|
Packit |
aea12f |
export-chain
|
|
Packit |
aea12f |
export-pubkey
|
|
Packit |
aea12f |
--export-chain Export the certificate specified by the URL and its chain of trust
|
|
Packit |
aea12f |
- prohibits these options:
|
|
Packit |
aea12f |
export-stapled
|
|
Packit |
aea12f |
export
|
|
Packit |
aea12f |
export-pubkey
|
|
Packit |
aea12f |
--export-pubkey Export the public key for a private key
|
|
Packit |
aea12f |
- prohibits these options:
|
|
Packit |
aea12f |
export-stapled
|
|
Packit |
aea12f |
export
|
|
Packit |
aea12f |
export-chain
|
|
Packit |
aea12f |
--info List information on an available object in a token
|
|
Packit |
aea12f |
--trusted an alias for the 'mark-trusted' option
|
|
Packit |
aea12f |
--distrusted an alias for the 'mark-distrusted' option
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Key generation:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
--generate-privkey=str Generate private-public key pair of given type
|
|
Packit |
aea12f |
--bits=num Specify the number of bits for the key generate
|
|
Packit |
aea12f |
--curve=str Specify the curve used for EC key generation
|
|
Packit |
aea12f |
--sec-param=str Specify the security level
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Writing objects:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
--set-id=str Set the CKA_ID (in hex) for the specified by the URL object
|
|
Packit |
aea12f |
- prohibits the option 'write'
|
|
Packit |
aea12f |
--set-label=str Set the CKA_LABEL for the specified by the URL object
|
|
Packit |
aea12f |
- prohibits these options:
|
|
Packit |
aea12f |
write
|
|
Packit |
aea12f |
set-id
|
|
Packit |
aea12f |
--write Writes the loaded objects to a PKCS #11 token
|
|
Packit Service |
991b93 |
--delete Deletes the objects matching the given PKCS #11 URL
|
|
Packit Service |
991b93 |
--label=str Sets a label for the write operation
|
|
Packit Service |
991b93 |
--id=str Sets an ID for the write operation
|
|
Packit Service |
991b93 |
--mark-wrap Marks the generated key to be a wrapping key
|
|
Packit |
aea12f |
- disabled as '--no-mark-wrap'
|
|
Packit Service |
991b93 |
--mark-trusted Marks the object to be written as trusted
|
|
Packit |
aea12f |
- prohibits the option 'mark-distrusted'
|
|
Packit |
aea12f |
- disabled as '--no-mark-trusted'
|
|
Packit Service |
991b93 |
--mark-distrusted When retrieving objects, it requires the objects to be distrusted
|
|
Packit |
aea12f |
(blacklisted)
|
|
Packit |
aea12f |
- prohibits the option 'mark-trusted'
|
|
Packit Service |
991b93 |
--mark-decrypt Marks the object to be written for decryption
|
|
Packit |
aea12f |
- disabled as '--no-mark-decrypt'
|
|
Packit Service |
991b93 |
--mark-sign Marks the object to be written for signature generation
|
|
Packit |
aea12f |
- disabled as '--no-mark-sign'
|
|
Packit Service |
991b93 |
--mark-ca Marks the object to be written as a CA
|
|
Packit |
aea12f |
- disabled as '--no-mark-ca'
|
|
Packit Service |
991b93 |
--mark-private Marks the object to be written as private
|
|
Packit |
aea12f |
- disabled as '--no-mark-private'
|
|
Packit Service |
991b93 |
--ca an alias for the 'mark-ca' option
|
|
Packit Service |
991b93 |
--private an alias for the 'mark-private' option
|
|
Packit Service |
991b93 |
--secret-key=str Provide a hex encoded secret key
|
|
Packit Service |
991b93 |
--load-privkey=file Private key file to use
|
|
Packit |
aea12f |
- file must pre-exist
|
|
Packit Service |
991b93 |
--load-pubkey=file Public key file to use
|
|
Packit |
aea12f |
- file must pre-exist
|
|
Packit Service |
991b93 |
--load-certificate=file Certificate file to use
|
|
Packit |
aea12f |
- file must pre-exist
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Other options:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
-d, --debug=num Enable debugging
|
|
Packit |
aea12f |
- it must be in the range:
|
|
Packit |
aea12f |
0 to 9999
|
|
Packit Service |
991b93 |
--outfile=str Output file
|
|
Packit Service |
991b93 |
--login Force (user) login to token
|
|
Packit |
aea12f |
- disabled as '--no-login'
|
|
Packit Service |
991b93 |
--so-login Force security officer login to token
|
|
Packit |
aea12f |
- disabled as '--no-so-login'
|
|
Packit Service |
991b93 |
--admin-login an alias for the 'so-login' option
|
|
Packit Service |
991b93 |
--test-sign Tests the signature operation of the provided object
|
|
Packit Service |
991b93 |
--sign-params=str Sign with a specific signature algorithm
|
|
Packit Service |
991b93 |
--hash=str Hash algorithm to use for signing
|
|
Packit Service |
991b93 |
--generate-random=num Generate random data
|
|
Packit |
aea12f |
-8, --pkcs8 Use PKCS #8 format for private keys
|
|
Packit Service |
991b93 |
--inder Use DER/RAW format for input
|
|
Packit |
aea12f |
- disabled as '--no-inder'
|
|
Packit Service |
991b93 |
--inraw an alias for the 'inder' option
|
|
Packit Service |
991b93 |
--outder Use DER format for output certificates, private keys, and DH parameters
|
|
Packit |
aea12f |
- disabled as '--no-outder'
|
|
Packit Service |
991b93 |
--outraw an alias for the 'outder' option
|
|
Packit Service |
991b93 |
--provider=file Specify the PKCS #11 provider library
|
|
Packit Service |
991b93 |
--detailed-url Print detailed URLs
|
|
Packit |
aea12f |
- disabled as '--no-detailed-url'
|
|
Packit Service |
991b93 |
--only-urls Print a compact listing using only the URLs
|
|
Packit Service |
991b93 |
--batch Disable all interaction with the tool
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Version, usage and configuration options:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
-v, --version[=arg] output version information and exit
|
|
Packit |
aea12f |
-h, --help display extended usage information and exit
|
|
Packit |
aea12f |
-!, --more-help extended usage information passed thru pager
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Options are specified by doubled hyphens and their name or by a single
|
|
Packit |
aea12f |
hyphen and the flag character.
|
|
Packit |
aea12f |
Operands and options may be intermixed. They will be reordered.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Program that allows operations on PKCS #11 smart cards and security
|
|
Packit |
aea12f |
modules.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
To use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to
|
|
Packit |
aea12f |
be setup. That is create a .module file in /etc/pkcs11/modules with the
|
|
Packit |
aea12f |
contents 'module: /path/to/pkcs11.so'. Alternatively the configuration
|
|
Packit |
aea12f |
file /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of
|
|
Packit |
aea12f |
the form 'load=/usr/lib/opensc-pkcs11.so'.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
You can provide the PIN to be used for the PKCS #11 operations with the
|
|
Packit |
aea12f |
environment variables GNUTLS_PIN and GNUTLS_SO_PIN.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
@exampleindent 4
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@anchor{p11tool token-related-options}
|
|
Packit |
aea12f |
@subheading token-related-options options
|
|
Packit |
aea12f |
Tokens.
|
|
Packit |
aea12f |
@subsubheading list-token-urls option.
|
|
Packit |
aea12f |
@anchor{p11tool list-token-urls}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``list the urls available tokens'' option.
|
|
Packit |
aea12f |
This is a more compact version of --list-tokens.
|
|
Packit |
aea12f |
@subsubheading initialize-so-pin option.
|
|
Packit |
aea12f |
@anchor{p11tool initialize-so-pin}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``initializes/resets a pkcs #11 token security officer pin.'' option.
|
|
Packit |
aea12f |
This initializes the security officer's PIN. When used non-interactively use the GNUTLS_NEW_SO_PIN
|
|
Packit |
aea12f |
environment variables to initialize SO's PIN.
|
|
Packit |
aea12f |
@subsubheading set-pin option.
|
|
Packit |
aea12f |
@anchor{p11tool set-pin}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``specify the pin to use on token operations'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
Alternatively the GNUTLS_PIN environment variable may be used.
|
|
Packit |
aea12f |
@subsubheading set-so-pin option.
|
|
Packit |
aea12f |
@anchor{p11tool set-so-pin}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``specify the security officer's pin to use on token initialization'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
Alternatively the GNUTLS_SO_PIN environment variable may be used.
|
|
Packit |
aea12f |
@anchor{p11tool object-list-related-options}
|
|
Packit |
aea12f |
@subheading object-list-related-options options
|
|
Packit |
aea12f |
Object listing.
|
|
Packit |
aea12f |
@subsubheading list-all option.
|
|
Packit |
aea12f |
@anchor{p11tool list-all}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``list all available objects in a token'' option.
|
|
Packit |
aea12f |
All objects available in the token will be listed. That includes
|
|
Packit |
aea12f |
objects which are potentially unaccessible using this tool.
|
|
Packit |
aea12f |
@subsubheading list-all-certs option.
|
|
Packit |
aea12f |
@anchor{p11tool list-all-certs}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``list all available certificates in a token'' option.
|
|
Packit |
aea12f |
That option will also provide more information on the
|
|
Packit |
aea12f |
certificates, for example, expand the attached extensions in a trust
|
|
Packit |
aea12f |
token (like p11-kit-trust).
|
|
Packit |
aea12f |
@subsubheading list-certs option.
|
|
Packit |
aea12f |
@anchor{p11tool list-certs}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``list all certificates that have an associated private key'' option.
|
|
Packit |
aea12f |
That option will only display certificates which have a private
|
|
Packit |
aea12f |
key associated with them (share the same ID).
|
|
Packit |
aea12f |
@subsubheading list-all-privkeys option.
|
|
Packit |
aea12f |
@anchor{p11tool list-all-privkeys}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``list all available private keys in a token'' option.
|
|
Packit |
aea12f |
Lists all the private keys in a token that match the specified URL.
|
|
Packit |
aea12f |
@subsubheading list-privkeys option.
|
|
Packit |
aea12f |
@anchor{p11tool list-privkeys}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is an alias for the @code{list-all-privkeys} option,
|
|
Packit |
aea12f |
@pxref{p11tool list-all-privkeys, the list-all-privkeys option documentation}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@subsubheading list-keys option.
|
|
Packit |
aea12f |
@anchor{p11tool list-keys}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is an alias for the @code{list-all-privkeys} option,
|
|
Packit |
aea12f |
@pxref{p11tool list-all-privkeys, the list-all-privkeys option documentation}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@subsubheading export-stapled option.
|
|
Packit |
aea12f |
@anchor{p11tool export-stapled}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``export the certificate object specified by the url'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
must not appear in combination with any of the following options:
|
|
Packit |
aea12f |
export, export-chain, export-pubkey.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Exports the certificate specified by the URL while including any attached extensions to it.
|
|
Packit |
aea12f |
Since attached extensions are a p11-kit extension, this option is only
|
|
Packit |
aea12f |
available on p11-kit registered trust modules.
|
|
Packit |
aea12f |
@subsubheading export-chain option.
|
|
Packit |
aea12f |
@anchor{p11tool export-chain}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``export the certificate specified by the url and its chain of trust'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
must not appear in combination with any of the following options:
|
|
Packit |
aea12f |
export-stapled, export, export-pubkey.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module.
|
|
Packit |
aea12f |
@subsubheading export-pubkey option.
|
|
Packit |
aea12f |
@anchor{p11tool export-pubkey}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``export the public key for a private key'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
must not appear in combination with any of the following options:
|
|
Packit |
aea12f |
export-stapled, export, export-chain.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Exports the public key for the specified private key
|
|
Packit |
aea12f |
@subsubheading trusted option.
|
|
Packit |
aea12f |
@anchor{p11tool trusted}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is an alias for the @code{mark-trusted} option,
|
|
Packit |
aea12f |
@pxref{p11tool mark-trusted, the mark-trusted option documentation}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@subsubheading distrusted option.
|
|
Packit |
aea12f |
@anchor{p11tool distrusted}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is an alias for the @code{mark-distrusted} option,
|
|
Packit |
aea12f |
@pxref{p11tool mark-distrusted, the mark-distrusted option documentation}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@anchor{p11tool keygen-related-options}
|
|
Packit |
aea12f |
@subheading keygen-related-options options
|
|
Packit |
aea12f |
Key generation.
|
|
Packit |
aea12f |
@subsubheading generate-privkey option.
|
|
Packit |
aea12f |
@anchor{p11tool generate-privkey}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``generate private-public key pair of given type'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
Generates a private-public key pair in the specified token.
|
|
Packit |
aea12f |
Acceptable types are RSA, ECDSA, Ed25519, and DSA. Should be combined with --sec-param or --bits.
|
|
Packit |
aea12f |
@subsubheading generate-rsa option.
|
|
Packit |
aea12f |
@anchor{p11tool generate-rsa}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``generate an rsa private-public key pair'' option.
|
|
Packit |
aea12f |
Generates an RSA private-public key pair on the specified token.
|
|
Packit |
aea12f |
Should be combined with --sec-param or --bits.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit |
aea12f |
@subsubheading generate-dsa option.
|
|
Packit |
aea12f |
@anchor{p11tool generate-dsa}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``generate a dsa private-public key pair'' option.
|
|
Packit |
aea12f |
Generates a DSA private-public key pair on the specified token.
|
|
Packit |
aea12f |
Should be combined with --sec-param or --bits.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit |
aea12f |
@subsubheading generate-ecc option.
|
|
Packit |
aea12f |
@anchor{p11tool generate-ecc}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``generate an ecdsa private-public key pair'' option.
|
|
Packit |
aea12f |
Generates an ECDSA private-public key pair on the specified token.
|
|
Packit |
aea12f |
Should be combined with --curve, --sec-param or --bits.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit |
aea12f |
@subsubheading bits option.
|
|
Packit |
aea12f |
@anchor{p11tool bits}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``specify the number of bits for the key generate'' option.
|
|
Packit |
aea12f |
This option takes a number argument.
|
|
Packit |
aea12f |
For applications which have no key-size restrictions the
|
|
Packit |
aea12f |
--sec-param option is recommended, as the sec-param levels will adapt
|
|
Packit |
aea12f |
to the acceptable security levels with the new versions of gnutls.
|
|
Packit |
aea12f |
@subsubheading curve option.
|
|
Packit |
aea12f |
@anchor{p11tool curve}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``specify the curve used for ec key generation'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.
|
|
Packit |
aea12f |
@subsubheading sec-param option.
|
|
Packit |
aea12f |
@anchor{p11tool sec-param}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``specify the security level'' option.
|
|
Packit |
aea12f |
This option takes a string argument @file{Security parameter}.
|
|
Packit |
aea12f |
This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra].
|
|
Packit |
aea12f |
@anchor{p11tool write-object-related-options}
|
|
Packit |
aea12f |
@subheading write-object-related-options options
|
|
Packit |
aea12f |
Writing objects.
|
|
Packit |
aea12f |
@subsubheading set-id option.
|
|
Packit |
aea12f |
@anchor{p11tool set-id}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``set the cka_id (in hex) for the specified by the url object'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
must not appear in combination with any of the following options:
|
|
Packit |
aea12f |
write.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Modifies or sets the CKA_ID in the specified by the URL object. The ID should be specified in hexadecimal format without a '0x' prefix.
|
|
Packit |
aea12f |
@subsubheading set-label option.
|
|
Packit |
aea12f |
@anchor{p11tool set-label}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``set the cka_label for the specified by the url object'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
must not appear in combination with any of the following options:
|
|
Packit |
aea12f |
write, set-id.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Modifies or sets the CKA_LABEL in the specified by the URL object
|
|
Packit |
aea12f |
@subsubheading write option.
|
|
Packit |
aea12f |
@anchor{p11tool write}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``writes the loaded objects to a pkcs #11 token'' option.
|
|
Packit |
aea12f |
It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
|
|
Packit |
aea12f |
one of --load-privkey, --load-pubkey, --load-certificate option.
|
|
Packit |
aea12f |
@subsubheading id option.
|
|
Packit |
aea12f |
@anchor{p11tool id}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``sets an id for the write operation'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix.
|
|
Packit |
aea12f |
@subsubheading mark-wrap option.
|
|
Packit |
aea12f |
@anchor{p11tool mark-wrap}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``marks the generated key to be a wrapping key'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
can be disabled with --no-mark-wrap.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Marks the generated key with the CKA_WRAP flag.
|
|
Packit |
aea12f |
@subsubheading mark-trusted option.
|
|
Packit |
aea12f |
@anchor{p11tool mark-trusted}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``marks the object to be written as trusted'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
can be disabled with --no-mark-trusted.
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
must not appear in combination with any of the following options:
|
|
Packit |
aea12f |
mark-distrusted.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Marks the object to be generated/written with the CKA_TRUST flag.
|
|
Packit |
aea12f |
@subsubheading mark-distrusted option.
|
|
Packit |
aea12f |
@anchor{p11tool mark-distrusted}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``when retrieving objects, it requires the objects to be distrusted (blacklisted)'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
must not appear in combination with any of the following options:
|
|
Packit |
aea12f |
mark-trusted.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Ensures that the objects retrieved have the CKA_X_TRUST flag.
|
|
Packit |
aea12f |
This is p11-kit trust module extension, thus this flag is only valid with
|
|
Packit |
aea12f |
p11-kit registered trust modules.
|
|
Packit |
aea12f |
@subsubheading mark-decrypt option.
|
|
Packit |
aea12f |
@anchor{p11tool mark-decrypt}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``marks the object to be written for decryption'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
can be disabled with --no-mark-decrypt.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Marks the object to be generated/written with the CKA_DECRYPT flag set to true.
|
|
Packit |
aea12f |
@subsubheading mark-sign option.
|
|
Packit |
aea12f |
@anchor{p11tool mark-sign}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``marks the object to be written for signature generation'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
can be disabled with --no-mark-sign.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Marks the object to be generated/written with the CKA_SIGN flag set to true.
|
|
Packit |
aea12f |
@subsubheading mark-ca option.
|
|
Packit |
aea12f |
@anchor{p11tool mark-ca}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``marks the object to be written as a ca'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
can be disabled with --no-mark-ca.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Marks the object to be generated/written with the CKA_CERTIFICATE_CATEGORY as CA.
|
|
Packit |
aea12f |
@subsubheading mark-private option.
|
|
Packit |
aea12f |
@anchor{p11tool mark-private}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``marks the object to be written as private'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
can be disabled with --no-mark-private.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Marks the object to be generated/written with the CKA_PRIVATE flag. The written object will require a PIN to be used.
|
|
Packit |
aea12f |
@subsubheading ca option.
|
|
Packit |
aea12f |
@anchor{p11tool ca}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is an alias for the @code{mark-ca} option,
|
|
Packit |
aea12f |
@pxref{p11tool mark-ca, the mark-ca option documentation}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@subsubheading private option.
|
|
Packit |
aea12f |
@anchor{p11tool private}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is an alias for the @code{mark-private} option,
|
|
Packit |
aea12f |
@pxref{p11tool mark-private, the mark-private option documentation}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@subsubheading secret-key option.
|
|
Packit |
aea12f |
@anchor{p11tool secret-key}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``provide a hex encoded secret key'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
This secret key will be written to the module if --write is specified.
|
|
Packit |
aea12f |
@anchor{p11tool other-options}
|
|
Packit |
aea12f |
@subheading other-options options
|
|
Packit |
aea12f |
Other options.
|
|
Packit |
aea12f |
@subsubheading debug option (-d).
|
|
Packit |
aea12f |
@anchor{p11tool debug}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``enable debugging'' option.
|
|
Packit |
aea12f |
This option takes a number argument.
|
|
Packit |
aea12f |
Specifies the debug level.
|
|
Packit |
aea12f |
@subsubheading so-login option.
|
|
Packit |
aea12f |
@anchor{p11tool so-login}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``force security officer login to token'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
can be disabled with --no-so-login.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Forces login to the token as security officer (admin).
|
|
Packit |
aea12f |
@subsubheading admin-login option.
|
|
Packit |
aea12f |
@anchor{p11tool admin-login}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is an alias for the @code{so-login} option,
|
|
Packit |
aea12f |
@pxref{p11tool so-login, the so-login option documentation}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@subsubheading test-sign option.
|
|
Packit |
aea12f |
@anchor{p11tool test-sign}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``tests the signature operation of the provided object'' option.
|
|
Packit |
aea12f |
It can be used to test the correct operation of the signature operation.
|
|
Packit |
aea12f |
If both a private and a public key are available this operation will sign and verify
|
|
Packit |
aea12f |
the signed data.
|
|
Packit |
aea12f |
@subsubheading sign-params option.
|
|
Packit |
aea12f |
@anchor{p11tool sign-params}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``sign with a specific signature algorithm'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
This option can be combined with --test-sign, to sign with
|
|
Packit |
aea12f |
a specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be
|
|
Packit |
aea12f |
specified in order to use RSA-PSS signature on RSA keys.
|
|
Packit |
aea12f |
@subsubheading hash option.
|
|
Packit |
aea12f |
@anchor{p11tool hash}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``hash algorithm to use for signing'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
This option can be combined with test-sign. Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.
|
|
Packit |
aea12f |
@subsubheading generate-random option.
|
|
Packit |
aea12f |
@anchor{p11tool generate-random}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``generate random data'' option.
|
|
Packit |
aea12f |
This option takes a number argument.
|
|
Packit |
aea12f |
Asks the token to generate a number of bytes of random bytes.
|
|
Packit |
aea12f |
@subsubheading inder option.
|
|
Packit |
aea12f |
@anchor{p11tool inder}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``use der/raw format for input'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
can be disabled with --no-inder.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Use DER/RAW format for input certificates and private keys.
|
|
Packit |
aea12f |
@subsubheading inraw option.
|
|
Packit |
aea12f |
@anchor{p11tool inraw}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is an alias for the @code{inder} option,
|
|
Packit |
aea12f |
@pxref{p11tool inder, the inder option documentation}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@subsubheading outder option.
|
|
Packit |
aea12f |
@anchor{p11tool outder}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``use der format for output certificates, private keys, and dh parameters'' option.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@noindent
|
|
Packit |
aea12f |
This option has some usage constraints. It:
|
|
Packit |
aea12f |
@itemize @bullet
|
|
Packit |
aea12f |
@item
|
|
Packit |
aea12f |
can be disabled with --no-outder.
|
|
Packit |
aea12f |
@end itemize
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
The output will be in DER or RAW format.
|
|
Packit |
aea12f |
@subsubheading outraw option.
|
|
Packit |
aea12f |
@anchor{p11tool outraw}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is an alias for the @code{outder} option,
|
|
Packit |
aea12f |
@pxref{p11tool outder, the outder option documentation}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@subsubheading provider option.
|
|
Packit |
aea12f |
@anchor{p11tool provider}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``specify the pkcs #11 provider library'' option.
|
|
Packit |
aea12f |
This option takes a file argument.
|
|
Packit |
aea12f |
This will override the default options in /etc/gnutls/pkcs11.conf
|
|
Packit |
aea12f |
@subsubheading provider-opts option.
|
|
Packit |
aea12f |
@anchor{p11tool provider-opts}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``specify parameters for the pkcs #11 provider library'' option.
|
|
Packit |
aea12f |
This option takes a string argument.
|
|
Packit |
aea12f |
This is a PKCS#11 internal option used by few modules.
|
|
Packit |
aea12f |
Mainly for testing PKCS#11 modules.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}
|
|
Packit |
aea12f |
@subsubheading batch option.
|
|
Packit |
aea12f |
@anchor{p11tool batch}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
This is the ``disable all interaction with the tool'' option.
|
|
Packit |
aea12f |
In batch mode there will be no prompts, all parameters need to be specified on command line.
|
|
Packit |
aea12f |
@anchor{p11tool exit status}
|
|
Packit |
aea12f |
@subheading p11tool exit status
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
One of the following exit values will be returned:
|
|
Packit |
aea12f |
@table @samp
|
|
Packit |
aea12f |
@item 0 (EXIT_SUCCESS)
|
|
Packit |
aea12f |
Successful program execution.
|
|
Packit |
aea12f |
@item 1 (EXIT_FAILURE)
|
|
Packit |
aea12f |
The operation failed or the command syntax was not valid.
|
|
Packit |
aea12f |
@end table
|
|
Packit |
aea12f |
@anchor{p11tool See Also}
|
|
Packit |
aea12f |
@subheading p11tool See Also
|
|
Packit |
aea12f |
certtool (1)
|
|
Packit |
aea12f |
@anchor{p11tool Examples}
|
|
Packit |
aea12f |
@subheading p11tool Examples
|
|
Packit |
aea12f |
To view all tokens in your system use:
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ p11tool --list-tokens
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
To view all objects in a token use:
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ p11tool --login --list-all "pkcs11:TOKEN-URL"
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
To store a private key and a certificate in a token run:
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \
|
|
Packit |
aea12f |
--label "Mykey"
|
|
Packit |
aea12f |
$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \
|
|
Packit |
aea12f |
--label "Mykey"
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
Note that some tokens require the same label to be used for the certificate
|
|
Packit |
aea12f |
and its corresponding private key.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
To generate an RSA private key inside the token use:
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
$ p11tool --login --generate-privkey rsa --bits 1024 --label "MyNewKey" \
|
|
Packit |
aea12f |
--outfile MyNewKey.pub "pkcs11:TOKEN-URL"
|
|
Packit |
aea12f |
@end example
|
|
Packit |
aea12f |
The bits parameter in the above example is explicitly set because some
|
|
Packit |
aea12f |
tokens only support limited choices in the bit length. The output file is the
|
|
Packit |
aea12f |
corresponding public key. This key can be used to general a certificate
|
|
Packit |
aea12f |
request with certtool.
|
|
Packit |
aea12f |
@example
|
|
Packit |
aea12f |
certtool --generate-request --load-privkey "pkcs11:KEY-URL" \
|
|
Packit |
aea12f |
--load-pubkey MyNewKey.pub --outfile request.pem
|
|
Packit |
aea12f |
@end example
|