|
Packit Service |
4684c1 |
.de1 NOP
|
|
Packit Service |
4684c1 |
. it 1 an-trap
|
|
Packit Service |
4684c1 |
. if \\n[.$] \,\\$*\/
|
|
Packit Service |
4684c1 |
..
|
|
Packit Service |
4684c1 |
.ie t \
|
|
Packit Service |
4684c1 |
.ds B-Font [CB]
|
|
Packit Service |
4684c1 |
.ds I-Font [CI]
|
|
Packit Service |
4684c1 |
.ds R-Font [CR]
|
|
Packit Service |
4684c1 |
.el \
|
|
Packit Service |
4684c1 |
.ds B-Font B
|
|
Packit Service |
4684c1 |
.ds I-Font I
|
|
Packit Service |
4684c1 |
.ds R-Font R
|
|
Packit Service |
4684c1 |
.TH p11tool 1 "03 Jun 2020" "3.6.14" "User Commands"
|
|
Packit Service |
4684c1 |
.\"
|
|
Packit Service |
4684c1 |
.\" DO NOT EDIT THIS FILE (in-mem file)
|
|
Packit Service |
4684c1 |
.\"
|
|
Packit Service |
4684c1 |
.\" It has been AutoGen-ed
|
|
Packit Service |
4684c1 |
.\" From the definitions ../../src/p11tool-args.def.tmp
|
|
Packit Service |
4684c1 |
.\" and the template file agman-cmd.tpl
|
|
Packit Service |
4684c1 |
.SH NAME
|
|
Packit Service |
4684c1 |
\f\*[B-Font]p11tool\fP
|
|
Packit Service |
4684c1 |
\- GnuTLS PKCS #11 tool
|
|
Packit Service |
4684c1 |
.SH SYNOPSIS
|
|
Packit Service |
4684c1 |
\f\*[B-Font]p11tool\fP
|
|
Packit Service |
4684c1 |
.\" Mixture of short (flag) options and long options
|
|
Packit Service |
4684c1 |
[\f\*[B-Font]\-flags\f[]]
|
|
Packit Service |
4684c1 |
[\f\*[B-Font]\-flag\f[] [\f\*[I-Font]value\f[]]]
|
|
Packit Service |
4684c1 |
[\f\*[B-Font]\-\-option-name\f[][[=| ]\f\*[I-Font]value\f[]]]
|
|
Packit Service |
4684c1 |
[url]
|
|
Packit Service |
4684c1 |
.sp \n(Ppu
|
|
Packit Service |
4684c1 |
.ne 2
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Operands and options may be intermixed. They will be reordered.
|
|
Packit Service |
4684c1 |
.sp \n(Ppu
|
|
Packit Service |
4684c1 |
.ne 2
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
.SH "DESCRIPTION"
|
|
Packit Service |
4684c1 |
Program that allows operations on PKCS #11 smart cards
|
|
Packit Service |
4684c1 |
and security modules.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
To use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to be setup.
|
|
Packit Service |
4684c1 |
That is create a .module file in /etc/pkcs11/modules with the contents 'module: /path/to/pkcs11.so'.
|
|
Packit Service |
4684c1 |
Alternatively the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number
|
|
Packit Service |
4684c1 |
of lines of the form 'load=/usr/lib/opensc-pkcs11.so'.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
You can provide the PIN to be used for the PKCS #11 operations with the environment variables
|
|
Packit Service |
4684c1 |
GNUTLS_PIN and GNUTLS_SO_PIN.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.SH "OPTIONS"
|
|
Packit Service |
4684c1 |
.SS "Tokens"
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-list\-tokens\f[]
|
|
Packit Service |
4684c1 |
List all available tokens.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-list\-token\-urls\f[]
|
|
Packit Service |
4684c1 |
List the URLs available tokens.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
This is a more compact version of \--list-tokens.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-list\-mechanisms\f[]
|
|
Packit Service |
4684c1 |
List all available mechanisms in a token.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-initialize\f[]
|
|
Packit Service |
4684c1 |
Initializes a PKCS #11 token.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-initialize\-pin\f[]
|
|
Packit Service |
4684c1 |
Initializes/Resets a PKCS #11 token user PIN.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-initialize\-so\-pin\f[]
|
|
Packit Service |
4684c1 |
Initializes/Resets a PKCS #11 token security officer PIN..
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
This initializes the security officer's PIN. When used non-interactively use the GNUTLS_NEW_SO_PIN
|
|
Packit Service |
4684c1 |
environment variables to initialize SO's PIN.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-set\-pin\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Specify the PIN to use on token operations.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Alternatively the GNUTLS_PIN environment variable may be used.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-set\-so\-pin\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Specify the Security Officer's PIN to use on token initialization.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Alternatively the GNUTLS_SO_PIN environment variable may be used.
|
|
Packit Service |
4684c1 |
.SS "Object listing"
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-list\-all\f[]
|
|
Packit Service |
4684c1 |
List all available objects in a token.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
All objects available in the token will be listed. That includes
|
|
Packit Service |
4684c1 |
objects which are potentially unaccessible using this tool.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-list\-all\-certs\f[]
|
|
Packit Service |
4684c1 |
List all available certificates in a token.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
That option will also provide more information on the
|
|
Packit Service |
4684c1 |
certificates, for example, expand the attached extensions in a trust
|
|
Packit Service |
4684c1 |
token (like p11-kit-trust).
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-list\-certs\f[]
|
|
Packit Service |
4684c1 |
List all certificates that have an associated private key.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
That option will only display certificates which have a private
|
|
Packit Service |
4684c1 |
key associated with them (share the same ID).
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-list\-all\-privkeys\f[]
|
|
Packit Service |
4684c1 |
List all available private keys in a token.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Lists all the private keys in a token that match the specified URL.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-list-privkeys\f[]
|
|
Packit Service |
4684c1 |
This is an alias for the \fI--list-all-privkeys\fR option.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-list-keys\f[]
|
|
Packit Service |
4684c1 |
This is an alias for the \fI--list-all-privkeys\fR option.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-list\-all\-trusted\f[]
|
|
Packit Service |
4684c1 |
List all available certificates marked as trusted.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-export\f[]
|
|
Packit Service |
4684c1 |
Export the object specified by the URL.
|
|
Packit Service |
4684c1 |
This option must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
export-stapled, export-chain, export-pubkey.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-export\-stapled\f[]
|
|
Packit Service |
4684c1 |
Export the certificate object specified by the URL.
|
|
Packit Service |
4684c1 |
This option must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
export, export-chain, export-pubkey.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Exports the certificate specified by the URL while including any attached extensions to it.
|
|
Packit Service |
4684c1 |
Since attached extensions are a p11-kit extension, this option is only
|
|
Packit Service |
4684c1 |
available on p11-kit registered trust modules.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-export\-chain\f[]
|
|
Packit Service |
4684c1 |
Export the certificate specified by the URL and its chain of trust.
|
|
Packit Service |
4684c1 |
This option must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
export-stapled, export, export-pubkey.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-export\-pubkey\f[]
|
|
Packit Service |
4684c1 |
Export the public key for a private key.
|
|
Packit Service |
4684c1 |
This option must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
export-stapled, export, export-chain.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Exports the public key for the specified private key
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-info\f[]
|
|
Packit Service |
4684c1 |
List information on an available object in a token.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-trusted\f[]
|
|
Packit Service |
4684c1 |
This is an alias for the \fI--mark-trusted\fR option.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-distrusted\f[]
|
|
Packit Service |
4684c1 |
This is an alias for the \fI--mark-distrusted\fR option.
|
|
Packit Service |
4684c1 |
.SS "Key generation"
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-generate\-privkey\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Generate private-public key pair of given type.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Generates a private-public key pair in the specified token.
|
|
Packit Service |
4684c1 |
Acceptable types are RSA, ECDSA, Ed25519, and DSA. Should be combined with \--sec-param or \--bits.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-generate\-rsa\f[]
|
|
Packit Service |
4684c1 |
Generate an RSA private-public key pair.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Generates an RSA private-public key pair on the specified token.
|
|
Packit Service |
4684c1 |
Should be combined with \--sec-param or \--bits.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.B
|
|
Packit Service |
4684c1 |
NOTE: THIS OPTION IS DEPRECATED
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-generate\-dsa\f[]
|
|
Packit Service |
4684c1 |
Generate a DSA private-public key pair.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Generates a DSA private-public key pair on the specified token.
|
|
Packit Service |
4684c1 |
Should be combined with \--sec-param or \--bits.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.B
|
|
Packit Service |
4684c1 |
NOTE: THIS OPTION IS DEPRECATED
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-generate\-ecc\f[]
|
|
Packit Service |
4684c1 |
Generate an ECDSA private-public key pair.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Generates an ECDSA private-public key pair on the specified token.
|
|
Packit Service |
4684c1 |
Should be combined with \--curve, \--sec-param or \--bits.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.B
|
|
Packit Service |
4684c1 |
NOTE: THIS OPTION IS DEPRECATED
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-bits\f[]=\f\*[I-Font]number\f[]
|
|
Packit Service |
4684c1 |
Specify the number of bits for the key generate.
|
|
Packit Service |
4684c1 |
This option takes an integer number as its argument.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
For applications which have no key-size restrictions the
|
|
Packit Service |
4684c1 |
--sec-param option is recommended, as the sec-param levels will adapt
|
|
Packit Service |
4684c1 |
to the acceptable security levels with the new versions of gnutls.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-curve\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Specify the curve used for EC key generation.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-sec\-param\f[]=\f\*[I-Font]security\f[] \f\*[I-Font]parameter\f[]
|
|
Packit Service |
4684c1 |
Specify the security level.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra].
|
|
Packit Service |
4684c1 |
.SS "Writing objects"
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-set\-id\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Set the CKA_ID (in hex) for the specified by the URL object.
|
|
Packit Service |
4684c1 |
This option must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
write.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Modifies or sets the CKA_ID in the specified by the URL object. The ID should be specified in hexadecimal format without a '0x' prefix.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-set\-label\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Set the CKA_LABEL for the specified by the URL object.
|
|
Packit Service |
4684c1 |
This option must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
write, set-id.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Modifies or sets the CKA_LABEL in the specified by the URL object
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-write\f[]
|
|
Packit Service |
4684c1 |
Writes the loaded objects to a PKCS #11 token.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
|
|
Packit Service |
4684c1 |
one of \--load-privkey, \--load-pubkey, \--load-certificate option.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-delete\f[]
|
|
Packit Service |
4684c1 |
Deletes the objects matching the given PKCS #11 URL.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-label\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Sets a label for the write operation.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-id\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Sets an ID for the write operation.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-mark\-wrap\f[], \f\*[B-Font]\-\-no\-mark\-wrap\f[]
|
|
Packit Service |
4684c1 |
Marks the generated key to be a wrapping key.
|
|
Packit Service |
4684c1 |
The \fIno\-mark\-wrap\fP form will disable the option.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Marks the generated key with the CKA_WRAP flag.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-mark\-trusted\f[], \f\*[B-Font]\-\-no\-mark\-trusted\f[]
|
|
Packit Service |
4684c1 |
Marks the object to be written as trusted.
|
|
Packit Service |
4684c1 |
The \fIno\-mark\-trusted\fP form will disable the option.
|
|
Packit Service |
4684c1 |
This option must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
mark-distrusted.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Marks the object to be generated/written with the CKA_TRUST flag.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-mark\-distrusted\f[]
|
|
Packit Service |
4684c1 |
When retrieving objects, it requires the objects to be distrusted (blacklisted).
|
|
Packit Service |
4684c1 |
This option must not appear in combination with any of the following options:
|
|
Packit Service |
4684c1 |
mark-trusted.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Ensures that the objects retrieved have the CKA_X_TRUST flag.
|
|
Packit Service |
4684c1 |
This is p11-kit trust module extension, thus this flag is only valid with
|
|
Packit Service |
4684c1 |
p11-kit registered trust modules.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-mark\-decrypt\f[], \f\*[B-Font]\-\-no\-mark\-decrypt\f[]
|
|
Packit Service |
4684c1 |
Marks the object to be written for decryption.
|
|
Packit Service |
4684c1 |
The \fIno\-mark\-decrypt\fP form will disable the option.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Marks the object to be generated/written with the CKA_DECRYPT flag set to true.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-mark\-sign\f[], \f\*[B-Font]\-\-no\-mark\-sign\f[]
|
|
Packit Service |
4684c1 |
Marks the object to be written for signature generation.
|
|
Packit Service |
4684c1 |
The \fIno\-mark\-sign\fP form will disable the option.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Marks the object to be generated/written with the CKA_SIGN flag set to true.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-mark\-ca\f[], \f\*[B-Font]\-\-no\-mark\-ca\f[]
|
|
Packit Service |
4684c1 |
Marks the object to be written as a CA.
|
|
Packit Service |
4684c1 |
The \fIno\-mark\-ca\fP form will disable the option.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Marks the object to be generated/written with the CKA_CERTIFICATE_CATEGORY as CA.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-mark\-private\f[], \f\*[B-Font]\-\-no\-mark\-private\f[]
|
|
Packit Service |
4684c1 |
Marks the object to be written as private.
|
|
Packit Service |
4684c1 |
The \fIno\-mark\-private\fP form will disable the option.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Marks the object to be generated/written with the CKA_PRIVATE flag. The written object will require a PIN to be used.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-ca\f[]
|
|
Packit Service |
4684c1 |
This is an alias for the \fI--mark-ca\fR option.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-private\f[]
|
|
Packit Service |
4684c1 |
This is an alias for the \fI--mark-private\fR option.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-secret\-key\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Provide a hex encoded secret key.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
This secret key will be written to the module if \--write is specified.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-load\-privkey\f[]=\f\*[I-Font]file\f[]
|
|
Packit Service |
4684c1 |
Private key file to use.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-load\-pubkey\f[]=\f\*[I-Font]file\f[]
|
|
Packit Service |
4684c1 |
Public key file to use.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-load\-certificate\f[]=\f\*[I-Font]file\f[]
|
|
Packit Service |
4684c1 |
Certificate file to use.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.SS "Other options"
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-d\f[] \f\*[I-Font]number\f[], \f\*[B-Font]\-\-debug\f[]=\f\*[I-Font]number\f[]
|
|
Packit Service |
4684c1 |
Enable debugging.
|
|
Packit Service |
4684c1 |
This option takes an integer number as its argument.
|
|
Packit Service |
4684c1 |
The value of
|
|
Packit Service |
4684c1 |
\f\*[I-Font]number\f[]
|
|
Packit Service |
4684c1 |
is constrained to being:
|
|
Packit Service |
4684c1 |
.in +4
|
|
Packit Service |
4684c1 |
.nf
|
|
Packit Service |
4684c1 |
.na
|
|
Packit Service |
4684c1 |
in the range 0 through 9999
|
|
Packit Service |
4684c1 |
.fi
|
|
Packit Service |
4684c1 |
.in -4
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Specifies the debug level.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-outfile\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Output file.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-login\f[], \f\*[B-Font]\-\-no\-login\f[]
|
|
Packit Service |
4684c1 |
Force (user) login to token.
|
|
Packit Service |
4684c1 |
The \fIno\-login\fP form will disable the option.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-so\-login\f[], \f\*[B-Font]\-\-no\-so\-login\f[]
|
|
Packit Service |
4684c1 |
Force security officer login to token.
|
|
Packit Service |
4684c1 |
The \fIno\-so\-login\fP form will disable the option.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Forces login to the token as security officer (admin).
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-admin-login\f[]
|
|
Packit Service |
4684c1 |
This is an alias for the \fI--so-login\fR option.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-test\-sign\f[]
|
|
Packit Service |
4684c1 |
Tests the signature operation of the provided object.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
It can be used to test the correct operation of the signature operation.
|
|
Packit Service |
4684c1 |
If both a private and a public key are available this operation will sign and verify
|
|
Packit Service |
4684c1 |
the signed data.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-sign\-params\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Sign with a specific signature algorithm.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
This option can be combined with \--test-sign, to sign with
|
|
Packit Service |
4684c1 |
a specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be
|
|
Packit Service |
4684c1 |
specified in order to use RSA-PSS signature on RSA keys.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-hash\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Hash algorithm to use for signing.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
This option can be combined with test-sign. Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-generate\-random\f[]=\f\*[I-Font]number\f[]
|
|
Packit Service |
4684c1 |
Generate random data.
|
|
Packit Service |
4684c1 |
This option takes an integer number as its argument.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Asks the token to generate a number of bytes of random bytes.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-8\f[], \f\*[B-Font]\-\-pkcs8\f[]
|
|
Packit Service |
4684c1 |
Use PKCS #8 format for private keys.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-inder\f[], \f\*[B-Font]\-\-no\-inder\f[]
|
|
Packit Service |
4684c1 |
Use DER/RAW format for input.
|
|
Packit Service |
4684c1 |
The \fIno\-inder\fP form will disable the option.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
Use DER/RAW format for input certificates and private keys.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-inraw\f[]
|
|
Packit Service |
4684c1 |
This is an alias for the \fI--inder\fR option.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-outder\f[], \f\*[B-Font]\-\-no\-outder\f[]
|
|
Packit Service |
4684c1 |
Use DER format for output certificates, private keys, and DH parameters.
|
|
Packit Service |
4684c1 |
The \fIno\-outder\fP form will disable the option.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
The output will be in DER or RAW format.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-outraw\f[]
|
|
Packit Service |
4684c1 |
This is an alias for the \fI--outder\fR option.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-provider\f[]=\f\*[I-Font]file\f[]
|
|
Packit Service |
4684c1 |
Specify the PKCS #11 provider library.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
This will override the default options in /etc/gnutls/pkcs11.conf
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-provider\-opts\f[]=\f\*[I-Font]string\f[]
|
|
Packit Service |
4684c1 |
Specify parameters for the PKCS #11 provider library.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
This is a PKCS#11 internal option used by few modules.
|
|
Packit Service |
4684c1 |
Mainly for testing PKCS#11 modules.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.B
|
|
Packit Service |
4684c1 |
NOTE: THIS OPTION IS DEPRECATED
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-detailed\-url\f[], \f\*[B-Font]\-\-no\-detailed\-url\f[]
|
|
Packit Service |
4684c1 |
Print detailed URLs.
|
|
Packit Service |
4684c1 |
The \fIno\-detailed\-url\fP form will disable the option.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-only\-urls\f[]
|
|
Packit Service |
4684c1 |
Print a compact listing using only the URLs.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\-batch\f[]
|
|
Packit Service |
4684c1 |
Disable all interaction with the tool.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
In batch mode there will be no prompts, all parameters need to be specified on command line.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-h\f[], \f\*[B-Font]\-\-help\f[]
|
|
Packit Service |
4684c1 |
Display usage information and exit.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-\&!\f[], \f\*[B-Font]\-\-more-help\f[]
|
|
Packit Service |
4684c1 |
Pass the extended usage information through a pager.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP \f\*[B-Font]\-v\f[] [{\f\*[I-Font]v|c|n\f[] \f\*[B-Font]\-\-version\f[] [{\f\*[I-Font]v|c|n\f[]}]}]
|
|
Packit Service |
4684c1 |
Output version of program and exit. The default mode is `v', a simple
|
|
Packit Service |
4684c1 |
version. The `c' mode will print copyright information and `n' will
|
|
Packit Service |
4684c1 |
print the full copyright notice.
|
|
Packit Service |
4684c1 |
.PP
|
|
Packit Service |
4684c1 |
.SH EXAMPLES
|
|
Packit Service |
4684c1 |
To view all tokens in your system use:
|
|
Packit Service |
4684c1 |
.br
|
|
Packit Service |
4684c1 |
.in +4
|
|
Packit Service |
4684c1 |
.nf
|
|
Packit Service |
4684c1 |
$ p11tool \-\-list\-tokens
|
|
Packit Service |
4684c1 |
.in -4
|
|
Packit Service |
4684c1 |
.fi
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
To view all objects in a token use:
|
|
Packit Service |
4684c1 |
.br
|
|
Packit Service |
4684c1 |
.in +4
|
|
Packit Service |
4684c1 |
.nf
|
|
Packit Service |
4684c1 |
$ p11tool \-\-login \-\-list\-all "pkcs11:TOKEN\-URL"
|
|
Packit Service |
4684c1 |
.in -4
|
|
Packit Service |
4684c1 |
.fi
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
To store a private key and a certificate in a token run:
|
|
Packit Service |
4684c1 |
.br
|
|
Packit Service |
4684c1 |
.in +4
|
|
Packit Service |
4684c1 |
.nf
|
|
Packit Service |
4684c1 |
$ p11tool \-\-login \-\-write "pkcs11:URL" \-\-load\-privkey key.pem \
|
|
Packit Service |
4684c1 |
\-\-label "Mykey"
|
|
Packit Service |
4684c1 |
$ p11tool \-\-login \-\-write "pkcs11:URL" \-\-load\-certificate cert.pem \
|
|
Packit Service |
4684c1 |
\-\-label "Mykey"
|
|
Packit Service |
4684c1 |
.in -4
|
|
Packit Service |
4684c1 |
.fi
|
|
Packit Service |
4684c1 |
Note that some tokens require the same label to be used for the certificate
|
|
Packit Service |
4684c1 |
and its corresponding private key.
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
To generate an RSA private key inside the token use:
|
|
Packit Service |
4684c1 |
.br
|
|
Packit Service |
4684c1 |
.in +4
|
|
Packit Service |
4684c1 |
.nf
|
|
Packit Service |
4684c1 |
$ p11tool \-\-login \-\-generate\-privkey rsa \-\-bits 1024 \-\-label "MyNewKey" \
|
|
Packit Service |
4684c1 |
\-\-outfile MyNewKey.pub "pkcs11:TOKEN\-URL"
|
|
Packit Service |
4684c1 |
.in -4
|
|
Packit Service |
4684c1 |
.fi
|
|
Packit Service |
4684c1 |
The bits parameter in the above example is explicitly set because some
|
|
Packit Service |
4684c1 |
tokens only support limited choices in the bit length. The output file is the
|
|
Packit Service |
4684c1 |
corresponding public key. This key can be used to general a certificate
|
|
Packit Service |
4684c1 |
request with certtool.
|
|
Packit Service |
4684c1 |
.br
|
|
Packit Service |
4684c1 |
.in +4
|
|
Packit Service |
4684c1 |
.nf
|
|
Packit Service |
4684c1 |
certtool \-\-generate\-request \-\-load\-privkey "pkcs11:KEY\-URL" \
|
|
Packit Service |
4684c1 |
\-\-load\-pubkey MyNewKey.pub \-\-outfile request.pem
|
|
Packit Service |
4684c1 |
.in -4
|
|
Packit Service |
4684c1 |
.fi
|
|
Packit Service |
4684c1 |
.sp
|
|
Packit Service |
4684c1 |
.SH "EXIT STATUS"
|
|
Packit Service |
4684c1 |
One of the following exit values will be returned:
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP 0 " (EXIT_SUCCESS)"
|
|
Packit Service |
4684c1 |
Successful program execution.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP 1 " (EXIT_FAILURE)"
|
|
Packit Service |
4684c1 |
The operation failed or the command syntax was not valid.
|
|
Packit Service |
4684c1 |
.TP
|
|
Packit Service |
4684c1 |
.NOP 70 " (EX_SOFTWARE)"
|
|
Packit Service |
4684c1 |
libopts had an internal operational error. Please report
|
|
Packit Service |
4684c1 |
it to autogen-users@lists.sourceforge.net. Thank you.
|
|
Packit Service |
4684c1 |
.PP
|
|
Packit Service |
4684c1 |
.SH "SEE ALSO"
|
|
Packit Service |
4684c1 |
certtool (1)
|
|
Packit Service |
4684c1 |
.SH "AUTHORS"
|
|
Packit Service |
4684c1 |
Nikos Mavrogiannopoulos, Simon Josefsson and others; see /usr/share/doc/gnutls/AUTHORS for a complete list.
|
|
Packit Service |
4684c1 |
.SH "COPYRIGHT"
|
|
Packit Service |
4684c1 |
Copyright (C) 2000-2020 Free Software Foundation, and others all rights reserved.
|
|
Packit Service |
4684c1 |
This program is released under the terms of the GNU General Public License, version 3 or later.
|
|
Packit Service |
4684c1 |
.SH "BUGS"
|
|
Packit Service |
4684c1 |
Please send bug reports to: bugs@gnutls.org
|
|
Packit Service |
4684c1 |
.SH "NOTES"
|
|
Packit Service |
4684c1 |
This manual page was \fIAutoGen\fP-erated from the \fBp11tool\fP
|
|
Packit Service |
4684c1 |
option definitions.
|