Provided by: yubico-piv-tool_2.5.2-1_amd64
NAME
yubico-piv-tool - Tool for managing Personal Identity Verification credentials on Yubikeys
SYNOPSIS
yubico-piv-tool [OPTION]...
DESCRIPTION
-h, --help Print help and exit --full-help Print help, including hidden options, and exit -V, --version Print version and exit -v, --verbose[=INT] Print more information (default=`0') -r, --reader=STRING Only use a matching reader (default=`Yubikey') -k, --key[=STRING] Management key to use, if no value is specified key will be asked for (default=`010203040506070801020304050607080102030405060708') -a, --action=ENUM Action to take (possible values="version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "change-pin", "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher", "list-readers", "set-ccc", "write-object", "read-object", "attest", "move-key", "delete-key") Multiple actions may be given at once and will be executed in order for example --action=verify-pin --action=request-certificate -s, --slot=ENUM What key slot to operate on (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9") 9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired Key Management f9 is for Attestation --to-slot=ENUM What slot to move an existing key to (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9") 9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired Key Management f9 is for Attestation -A, --algorithm=ENUM What algorithm to use (possible values="RSA1024", "RSA2048", "RSA3072", "RSA4096", "ECCP256", "ECCP384", "ED25519", "X25519" default=`RSA2048') -H, --hash=ENUM Hash to use for signatures (possible values="SHA1", "SHA256", "SHA384", "SHA512" default=`SHA256') -n, --new-key=STRING New management key to use for action set-mgm-key, if omitted key will be asked for --pin-retries=INT Number of retries before the pin code is blocked --puk-retries=INT Number of retries before the puk code is blocked -i, --input=STRING Filename to use as input, - for stdin (default=`-') -o, --output=STRING Filename to use as output, - for stdout (default=`-') -K, --key-format=ENUM Format of the key being read/written (possible values="PEM", "PKCS12", "GZIP", "DER", "SSH" default=`PEM') --compress Compress a large certificate using GZIP before import (default=off) -p, --password=STRING Password for decryption of private key file, if omitted password will be asked for -S, --subject=STRING The subject to use for certificate request The subject must be written as: /CN=host.example.com/OU=test/O=example.com/ --serial=INT Serial number of the self-signed certificate --valid-days=INT Time (in days) until the self-signed certificate expires (default=`365') -P, --pin=STRING Pin/puk code for verification, if omitted pin/puk will be asked for -N, --new-pin=STRING New pin/puk code for changing, if omitted pin/puk will be asked for --pin-policy=ENUM Set pin policy for action generate or import-key. Only available on YubiKey 4 or newer (possible values="never", "once", "always") --touch-policy=ENUM Set touch policy for action generate, import-key or set-mgm-key. Only available on YubiKey 4 or newer (possible values="never", "always", "cached") --id=INT Id of object for write/read object -f, --format=ENUM Format of data for write/read object (possible values="hex", "base64", "binary" default=`hex') --attestation Add attestation cross-signature (default=off) -m, --new-key-algo=ENUM New management key algorithm to use for action set-mgm-key (possible values="TDES", "AES128", "AES192", "AES256" default=`TDES')