p11tool(1) — Linux manual pages

Linux manual pages	Section 1

Name

p11tool — Manipulate PKCS #11 tokens.

DESCRIPTION

Export/import data from PKCS #11 tokens. To use PKCS #11 tokens with gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form "load=/usr/lib/opensc-pkcs11.so".

OPTIONS

Program control options

−d, −−debug LEVEL: Specify the debug level. Default is 1.
−h, −−help: Shows this help text

Generic options

−−login: Force login to the token for the intended operation.
−−provider MODULE: In addition to /etc/gnutls/pkcs11.conf, load the specified module.
−−outfile FILE: Print output to FILE.
−−inder, −−inraw: Input is DER formatted.

Getting information on available X.509 certificates

−−list−tokens: Prints all available tokens.
−−initialize URL: Initializes (formats) the specified by the URL token. Note that several tokens do not support this fascility.

Getting information on available X.509 certificates

−−list−all−certs: Prints all available certificates.
−−list−certs: Prints all certificates that have a corresponding private key stored in the token.
−−list−trusted: Prints all certificates that have been marked as trusted.

Getting information on private keys

−−list−privkeys: Prints all available private keys.

Handling generic objects

−−export URL: Exports the object (e.g. certificate) specified by the URL.
−−delete URL: Deletes the object specified by the URL. Note that several tokens do not support deletion.
−−detailed−url: When printing URLs print them in a detailed (to the PKCS #11 module used) form.
−−no−detailed−url: When printing URLs, do not print details on the module used.

Storing objects

−−write URL: Flag to set when writing an object. Requires one of −−load−privkey, −−load−pubkey, −−load−certificate or −−secret−key options.
−−load−privkey: Load a private key for the write operations.
−−load−pubkey: Load an X.509 subjectPublicKey for the write operation.
−−load−certificate: Load an X.509 certificate for the write operation.
−−secret−key: Specify a hex encoded secret key for the write operation.
−−trusted: The object stored will be marked as trusted.
−−label: The label of the object stored.

Controlling output

−8, −−pkcs8: Use PKCS #8 format for private keys.

EXAMPLES

To store a private key and certificate, run:

$ p11tool −−login −−write "pkcs11:XXX"  −−load−privkey key.pem −−label "MyKey"
$ p11tool −−login −−write "pkcs11:XXX"  −−load−certificate cert.pem −−label "MyCert"

To view all objects in a token, use:

$ p11tool −−login −−list−all

AUTHOR

Nikos Mavrogiannopoulos <nmav@gnutls.org> and others; see /usr/share/doc/gnutls−bin/AUTHORS for a complete list.