GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
YUBICO-PIV-TOOL(1) User Commands YUBICO-PIV-TOOL(1)

yubico-piv-tool - Yubico PIV tool

yubico-piv-tool [ OPTIONS]...

yubico-piv-tool 1.6.2
-h, --help
Print help and exit
--full-help
Print help, including hidden options, and exit
-V, --version
Print version and exit
-v, --verbose[=INT]
Print more information (default=`0')
-r, --reader=STRING
Only use a matching reader (default=`Yubikey')
-k, --key[=STRING]
Management key to use, if no value is specified key will be asked for (default=`010203040506070801020304050607080102030405060708')
-a, --action=ENUM
Action to take (possible values="version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "change-pin", "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher", "list-readers", "set-ccc", "write-object", "read-object", "attest")
Multiple actions may be given at once and will be executed in order for example --action=verify-pin --action=request-certificate
-s, --slot=ENUM
What key slot to operate on (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9")
9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired Key Management f9 is for Attestation
-A, --algorithm=ENUM
What algorithm to use (possible values="RSA1024", "RSA2048", "ECCP256", "ECCP384" default=`RSA2048')
-H, --hash=ENUM
Hash to use for signatures (possible values="SHA1", "SHA256", "SHA384", "SHA512" default=`SHA256')
-n, --new-key=STRING
New management key to use for action set-mgm-key, if omitted key will be asked for
--pin-retries=INT
Number of retries before the pin code is blocked
--puk-retries=INT
Number of retries before the puk code is blocked
-i, --input=STRING
Filename to use as input, - for stdin (default=`-')
-o, --output=STRING
Filename to use as output, - for stdout (default=`-')
-K, --key-format=ENUM
Format of the key being read/written (possible values="PEM", "PKCS12", "GZIP", "DER", "SSH" default=`PEM')
-p, --password=STRING
Password for decryption of private key file, if omitted password will be asked for
-S, --subject=STRING
The subject to use for certificate request
The subject must be written as: /CN=host.example.com/OU=test/O=example.com/
--serial=INT
Serial number of the self-signed certificate
--valid-days=INT
Time (in days) until the self-signed certificate expires (default=`365')
-P, --pin=STRING
Pin/puk code for verification, if omitted pin/puk will be asked for
-N, --new-pin=STRING
New pin/puk code for changing, if omitted pin/puk will be asked for
--pin-policy=ENUM
Set pin policy for action generate or import-key. Only available on YubiKey 4 (possible values="never", "once", "always")
--touch-policy=ENUM
Set touch policy for action generate, import-key or set-mgm-key. Only available on YubiKey 4 (possible values="never", "always", "cached")
--id=INT
Id of object for write/read object
-f, --format=ENUM
Format of data for write/read object (possible values="hex", "base64", "binary" default=`hex')

For more information about what's happening --verbose can be added to any command. For much more information --verbose=2 may be used.
Display what version of the application is running on the YubiKey:

yubico-piv-tool -aversion
Generate a new ECC-P256 key on device in slot 9a, will print the public key on stdout:

yubico-piv-tool -s9a -AECCP256 -agenerate
Generate a certificate request with public key from stdin, will print the resulting request on stdout:

yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify \
-arequest
Generate a self-signed certificate with public key from stdin, will print the certificate, for later import, on stdout:

yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify \
-aselfsign
Import a certificate from stdin:

yubico-piv-tool -s9a -aimport-certificate
Set a random chuid, import a key and import a certificate from a PKCS12 file, into slot 9c:

yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid \
-aimport-key -aimport-cert
Import a certificate which is larger than 2048 bytes and thus requires compression in order to fit:

openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
yubico-piv-tool -s9c -ider.gz -KGZIP -aimport-cert
Change the management key used for administrative authentication:

yubico-piv-tool -aset-mgm-key
Delete a certificate in slot 9a, with management key being asked for:

yubico-piv-tool -adelete-certificate -s9a -k
Show some information on certificates and other data:

yubico-piv-tool -astatus
Read out the certificate from a slot and then run a signature test:

yubico-piv-tool -aread-cert -s9a
yubico-piv-tool -averify-pin -atest-signature -s9a
Import a key into slot 85 (only available on YubiKey 4) and set the touch policy (also only available on YubiKey 4):

yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem
September 2018 yubico-piv-tool 1.6.2

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.