| p11tool(1) | General Commands Manual | p11tool(1) |
NAME¶
p11tool - Manipulate PKCS #11 tokens.
SYNOPSIS¶
p11tool [options]
DESCRIPTION¶
Export/import data from PKCS #11 tokens. To use PKCS #11 tokens with gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form "load=/usr/lib/opensc-pkcs11.so".
OPTIONS¶
Program control options¶
- -d, --debug LEVEL
- Specify the debug level. Default is 1.
- -h, --help
- Shows this help text
Generic options¶
- --login
- Force login to the token for the intended operation.
- --provider MODULE
- In addition to /etc/gnutls/pkcs11.conf, load the specified module.
- --outfile FILE
- Print output to FILE.
- --inder, --inraw
- Input is DER formatted.
Getting information on available X.509 certificates¶
- --list-tokens
- Prints all available tokens.
- --initialize URL
- Initializes (formats) the specified by the URL token. Note that several tokens do not support this fascility.
Getting information on available X.509 certificates¶
- --list-all-certs
- Prints all available certificates.
- --list-certs
- Prints all certificates that have a corresponding private key stored in the token.
- --list-trusted
- Prints all certificates that have been marked as trusted.
Getting information on private keys¶
- --list-privkeys
- Prints all available private keys.
Handling generic objects¶
- --export URL
- Exports the object (e.g. certificate) specified by the URL.
- --delete URL
- Deletes the object specified by the URL. Note that several tokens do not support deletion.
- --detailed-url
- When printing URLs print them in a detailed (to the PKCS #11 module used) form.
- --no-detailed-url
- When printing URLs, do not print details on the module used.
Storing objects¶
- --write URL
- Flag to set when writing an object. Requires one of --load-privkey, --load-pubkey, --load-certificate or --secret-key options.
- --load-privkey
- Load a private key for the write operations.
- --load-pubkey
- Load an X.509 subjectPublicKey for the write operation.
- --load-certificate
- Load an X.509 certificate for the write operation.
- --secret-key
- Specify a hex encoded secret key for the write operation.
- --trusted
- The object stored will be marked as trusted.
- --label
- The label of the object stored.
Controlling output¶
- -8, --pkcs8
- Use PKCS #8 format for private keys.
EXAMPLES¶
To store a private key and certificate, run:
$ p11tool --login --write "pkcs11:XXX" --load-privkey key.pem --label "MyKey" $ p11tool --login --write "pkcs11:XXX" --load-certificate cert.pem --label "MyCert"
To view all objects in a token, use:
$ p11tool --login --list-all
AUTHOR¶
Nikos Mavrogiannopoulos <nmav@gnutls.org> and others; see /usr/share/doc/gnutls-bin/AUTHORS for a complete list.
| November 11th 2010 |