p11tool 3.5.8 Copyright (C) 2000-2017 Free Software Foundation, and others, all rights reserved. This is free software. It is licensed for use, modification and redistribution under the terms of the GNU General Public License, version 3 or later <http://gnu.org/licenses/gpl.html> Please send bug reports to: <bugs@gnutls.org>

p11tool - GnuTLS PKCS #11 tool Usage: p11tool [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [url] Tokens: --list-tokens List all available tokens --list-token-urls List the URLs available tokens --list-mechanisms List all available mechanisms in a token --initialize Initializes a PKCS #11 token --initialize-pin Initializes/Resets a PKCS #11 token user PIN --initialize-so-pin Initializes/Resets a PKCS #11 token security officer PIN --set-pin=str Specify the PIN to use on token initialization --set-so-pin=str Specify the Security Officer's PIN to use on token initialization Object listing: --list-all List all available objects in a token --list-all-certs List all available certificates in a token --list-certs List all certificates that have an associated private key --list-all-privkeys List all available private keys in a token --list-privkeys an alias for the 'list-all-privkeys' option --list-keys an alias for the 'list-all-privkeys' option --list-all-trusted List all available certificates marked as trusted --export Export the object specified by the URL - prohibits these options: export-stapled export-chain export-pubkey --export-stapled Export the certificate object specified by the URL - prohibits these options: export export-chain export-pubkey --export-chain Export the certificate specified by the URL and its chain of trust - prohibits these options: export-stapled export export-pubkey --export-pubkey Export the public key for a private key - prohibits these options: export-stapled export export-chain --info List information on an available object in a token --trusted an alias for the 'mark-trusted' option --distrusted an alias for the 'mark-distrusted' option Key generation: --generate-rsa Generate an RSA private-public key pair --generate-dsa Generate a DSA private-public key pair --generate-ecc Generate an ECDSA private-public key pair --bits=num Specify the number of bits for the key generate --curve=str Specify the curve used for EC key generation --sec-param=str Specify the security level Writing objects: --set-id=str Set the CKA_ID (in hex) for the specified by the URL object - prohibits the option 'write' --set-label=str Set the CKA_LABEL for the specified by the URL object - prohibits these options: write set-id --write Writes the loaded objects to a PKCS #11 token --delete Deletes the objects matching the given PKCS #11 URL --label=str Sets a label for the write operation --id=str Sets an ID for the write operation --mark-wrap Marks the generated key to be a wrapping key - disabled as '--no-mark-wrap' --mark-trusted Marks the object to be written as trusted - prohibits the option 'mark-distrusted' - disabled as '--no-mark-trusted' --mark-distrusted When retrieving objects, it requires the objects to be distrusted (blacklisted) - prohibits the option 'mark-trusted' --mark-decrypt Marks the object to be written for decryption - disabled as '--no-mark-decrypt' --mark-sign Marks the object to be written for signature generation - disabled as '--no-mark-sign' --mark-ca Marks the object to be written as a CA - disabled as '--no-mark-ca' --mark-private Marks the object to be written as private - disabled as '--no-mark-private' --ca an alias for the 'mark-ca' option --private an alias for the 'mark-private' option --secret-key=str Provide a hex encoded secret key --load-privkey=file Private key file to use - file must pre-exist --load-pubkey=file Public key file to use - file must pre-exist --load-certificate=file Certificate file to use - file must pre-exist Other options: -d, --debug=num Enable debugging - it must be in the range: 0 to 9999 --outfile=str Output file --login Force (user) login to token - disabled as '--no-login' --so-login Force security officer login to token - disabled as '--no-so-login' --admin-login an alias for the 'so-login' option --test-sign Tests the signature operation of the provided object --generate-random=num Generate random data -8, --pkcs8 Use PKCS #8 format for private keys --inder Use DER/RAW format for input - disabled as '--no-inder' --inraw an alias for the 'inder' option --outder Use DER format for output certificates, private keys, and DH parameters - disabled as '--no-outder' --outraw an alias for the 'outder' option --provider=file Specify the PKCS #11 provider library --detailed-url Print detailed URLs - disabled as '--no-detailed-url' --only-urls Print a compact listing using only the URLs --batch Disable all interaction with the tool Version, usage and configuration options: -v, --version[=arg] output version information and exit -h, --help display extended usage information and exit -!, --more-help extended usage information passed thru pager Options are specified by doubled hyphens and their name or by a single hyphen and the flag character. Operands and options may be intermixed. They will be reordered. Program that allows operations on PKCS #11 smart cards and security modules. To use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to be setup. That is create a .module file in /etc/pkcs11/modules with the contents 'module: /path/to/pkcs11.so'. Alternatively the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form 'load=/usr/lib/opensc-pkcs11.so'. You can provide the PIN to be used for the PKCS #11 operations with the environment variables GNUTLS_PIN and GNUTLS_SO_PIN. Please send bug reports to: <bugs@gnutls.org>