Provided by: yubico-piv-tool_1.6.2-1_amd64 bug


       yubico-piv-tool - Yubico PIV tool


       yubico-piv-tool [OPTIONS]...


       yubico-piv-tool 1.6.2

       -h, --help
              Print help and exit

              Print help, including hidden options, and exit

       -V, --version
              Print version and exit

       -v, --verbose[=INT]
              Print more information  (default=`0')

       -r, --reader=STRING
              Only use a matching reader  (default=`Yubikey')

       -k, --key[=STRING]
              Management   key  to  use,  if  no  value  is  specified  key  will  be  asked  for

       -a, --action=ENUM
              Action to take  (possible  values="version",  "generate",  "set-mgm-key",  "reset",
              "pin-retries",        "import-key",        "import-certificate",       "set-chuid",
              "request-certificate",  "verify-pin",  "change-pin",  "change-puk",  "unblock-pin",
              "selfsign-certificate",    "delete-certificate",    "read-certificate",   "status",
              "test-signature",  "test-decipher",  "list-readers",   "set-ccc",   "write-object",
              "read-object", "attest")

              Multiple  actions  may  be  given at once and will be executed in order for example
              --action=verify-pin --action=request-certificate

       -s, --slot=ENUM
              What key slot to operate on  (possible values="9a", "9c", "9d", "9e",  "82",  "83",
              "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91",
              "92", "93", "94", "95", "f9")

              9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is
              for  Key  Management 9e is for Card Authentication (PIN never checked) 82-95 is for
              Retired Key Management f9 is for Attestation

       -A, --algorithm=ENUM
              What algorithm to use  (possible values="RSA1024", "RSA2048", "ECCP256",  "ECCP384"

       -H, --hash=ENUM
              Hash  to  use for signatures  (possible values="SHA1", "SHA256", "SHA384", "SHA512"

       -n, --new-key=STRING
              New management key to use for action set-mgm-key, if omitted key will be asked for

              Number of retries before the pin code is blocked

              Number of retries before the puk code is blocked

       -i, --input=STRING
              Filename to use as input, - for stdin  (default=`-')

       -o, --output=STRING
              Filename to use as output, - for stdout (default=`-')

       -K, --key-format=ENUM
              Format of the key being read/written   (possible  values="PEM",  "PKCS12",  "GZIP",
              "DER", "SSH" default=`PEM')

       -p, --password=STRING
              Password for decryption of private key file, if omitted password will be asked for

       -S, --subject=STRING
              The subject to use for certificate request

              The subject must be written as: /

              Serial number of the self-signed certificate

              Time (in days) until the self-signed certificate expires  (default=`365')

       -P, --pin=STRING
              Pin/puk code for verification, if omitted pin/puk will be asked for

       -N, --new-pin=STRING
              New pin/puk code for changing, if omitted pin/puk will be asked for

              Set  pin  policy  for  action  generate or import-key.  Only available on YubiKey 4
              (possible values="never", "once", "always")

              Set touch policy for action generate, import-key or set-mgm-key. Only available  on
              YubiKey 4 (possible values="never", "always", "cached")

              Id of object for write/read object

       -f, --format=ENUM
              Format  of  data  for write/read object  (possible values="hex", "base64", "binary"


       For more information about what's happening --verbose can be added  to  any  command.  For
       much more information --verbose=2 may be used.

       Display what version of the application is running on the YubiKey:

          yubico-piv-tool -aversion

       Generate a new ECC-P256 key on device in slot 9a, will print the public key on stdout:

          yubico-piv-tool -s9a -AECCP256 -agenerate

       Generate  a  certificate  request  with  public  key  from stdin, will print the resulting
       request on stdout:

          yubico-piv-tool -s9a -S'/CN=foo/OU=test/' -averify \

       Generate a self-signed certificate with public key from stdin, will print the certificate,
       for later import, on stdout:

          yubico-piv-tool -s9a -S'/CN=bar/OU=test/' -averify \

       Import a certificate from stdin:

          yubico-piv-tool -s9a -aimport-certificate

       Set  a  random  chuid, import a key and import a certificate from a PKCS12 file, into slot

          yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid \
            -aimport-key -aimport-cert

       Import a certificate which is larger than 2048 bytes  and  thus  requires  compression  in
       order to fit:

         openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
         yubico-piv-tool -s9c -ider.gz -KGZIP -aimport-cert

       Change the management key used for administrative authentication:

          yubico-piv-tool -aset-mgm-key

       Delete a certificate in slot 9a, with management key being asked for:

         yubico-piv-tool -adelete-certificate -s9a -k

       Show some information on certificates and other data:

         yubico-piv-tool -astatus

       Read out the certificate from a slot and then run a signature test:

         yubico-piv-tool -aread-cert -s9a
         yubico-piv-tool -averify-pin -atest-signature -s9a

       Import  a  key  into  slot 85 (only available on YubiKey 4) and set the touch policy (also
       only available on YubiKey 4):

         yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem