p11tool — GnuTLS PKCS #11 tool
p11tool
[ −flag
[value
] ...] [ −−opt−name
[[=|]value
] ...] [url
]
Program that allows handling data from PKCS #11 smart cards and security modules. To use PKCS #11 tokens with gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form 'load=/usr/lib/opensc-pkcs11.so'.
−d
number
,
−−debug=number
Enable debugging.. This option takes an integer number as its argument. The value of number is constrained to being:
in the range 0 through 9999
Specifies the debug level.
−−list−tokens
List all available tokens.
−−export
Export the object specified by the URL.
−−list−mechanisms
List all available mechanisms in a token.
−−list−all
List all available objects in a token.
−−list−all−certs
List all available certificates in a token.
−−list−certs
List all certificates that have an associated private key.
−−list−all−privkeys
List all available private keys in a token.
−−list−all−trusted
List all available certificates marked as trusted.
−−initialize
Initializes a PKCS #11 token.
−−write
Writes the loaded objects to a PKCS #11 token.
It can be used to write private keys, certificates or secret keys to a token.
−−delete
Deletes the objects matching the PKCS #11 URL.
−−generate−rsa
Generates an RSA private-public key pair on the specified token.
−−generate−dsa
Generates an RSA private-public key pair on the specified token.
−−generate−ecc
Generates an RSA private-public key pair on the specified token.
−−label=string
Sets a label for the write operation.
−−trusted, −−no−trusted
Marks the object to be written as trusted. The
no−trusted
form
will disable the option.
−−private, −−no−private
Marks the object to be written as private. The
no−private
form
will disable the option. This option is enabled by
default.
The written object will require a PIN to be used.
−−login, −−no−login
Force login to token. The no−login
form
will disable the option.
−−detailed−url, −−no−detailed−url
Print detailed URLs. The no−detailed−url
form will disable the option.
−−secret−key=string
Provide a hex encoded secret key.
−−load−privkey=file
Private key file to use.
−−load−pubkey=file
Public key file to use.
−−load−certificate=file
Certificate file to use.
Use PKCS #8 format for private keys.
−−bits=number
Specify the number of bits for key generate. This option takes an integer number as its argument.
−−sec−param=security
parameter
Specify the security level [low|legacy|normal|high|ultra]..
This is alternative to the bits option.
−−inder, −−no−inder
Use DER/RAW format for input certificates and
private keys. The no−inder
form
will disable the option.
−−inraw
This option has not been fully documented.
−−provider=file
Specify the PKCS #11 provider library.
This will override the default options in /etc/gnutls/pkcs11.conf
−−outfile=string
Output file.
−h,
−−help
Display usage information and exit.
−!,
−−more−help
Pass the extended usage information through a pager.
−v
[{v|c|n
}],
−−version[={v|c|n}
]
Output version of program and exit. The default mode is `v', a simple version. The `c' mode will print copyright information and `n' will print the full copyright notice.
To view all tokens in your system use:
$ p11tool −−list−tokens
To view all objects in a token use:
$ p11tool −−login −−list−all "pkcs11:TOKEN−URL"
To store a private key and a certificate in a token run:
$ p11tool −−login −−write "pkcs11:URL" −−load−privkey key.pem −−label "Mykey" $ p11tool −−login −−write "pkcs11:URL" −−load−certificate cert.pem −−label "MyCert"
One of the following exit values will be returned:
0
Successful program execution.
1
The operation failed or the command syntax was not valid.