xenial (1) yubico-piv-tool.1.gz

Provided by: yubico-piv-tool_1.0.3-1_amd64 bug

NAME

       yubico-piv-tool - Yubico PIV tool

SYNOPSIS

       yubico-piv-tool [OPTIONS]...

DESCRIPTION

       yubico-piv-tool 1.0.3

       -h, --help
              Print help and exit

       --full-help
              Print help, including hidden options, and exit

       -V, --version
              Print version and exit

       -v, --verbose[=INT]
              Print more information  (default=`0')

       -r, --reader=STRING
              Only use a matching reader  (default=`Yubikey')

       -k, --key=STRING
              Authentication key to use (default=`010203040506070801020304050607080102030405060708')

       -a, --action=ENUM
              Action  to  take   (possible  values="version", "generate", "set-mgm-key", "reset", "pin-retries",
              "import-key",    "import-certificate",    "set-chuid",    "request-certificate",     "verify-pin",
              "change-pin",    "change-puk",    "unblock-pin",   "selfsign-certificate",   "delete-certificate",
              "read-certificate", "status", "test-signature", "test-decipher")

              Multiple  actions  may  be  given  at  once  and  will  be   executed   in   order   for   example
              --action=verify-pin --action=request-certificate

       -s, --slot=ENUM
              What key slot to operate on  (possible values="9a", "9c", "9d", "9e")

              9a  is  for  PIV  Authentication  9c  is  for Digital Signature (PIN always checked) 9d is for Key
              Management 9e is for Card Authentication (PIN never checked)

       -A, --algorithm=ENUM
              What algorithm to use  (possible values="RSA1024", "RSA2048", "ECCP256" default=`RSA2048')

       -H, --hash=ENUM
              Hash to use for signatures  (possible values="SHA1", "SHA256", "SHA512" default=`SHA256')

       -n, --new-key=STRING
              New authentication key to use

       --pin-retries=INT
              Number of retries before the pin code is blocked

       --puk-retries=INT
              Number of retries before the puk code is blocked

       -i, --input=STRING
              Filename to use as input, - for stdin  (default=`-')

       -o, --output=STRING
              Filename to use as output, - for stdout  (default=`-')

       -K, --key-format=ENUM
              Format  of  the  key  being  read/written   (possible  values="PEM",   "PKCS12",   "GZIP",   "DER"
              default=`PEM')

       -p, --password=STRING
              Password for decryption of private key file

       -S, --subject=STRING
              The subject to use for certificate request

              The subject must be written as: /CN=host.example.com/OU=test/O=example.com/

       -P, --pin=STRING
              Pin/puk code for verification

       -N, --new-pin=STRING
              New pin/puk code for changing

EXAMPLES

       For  more  information  about  what's  happening  --verbose  can  be  added to any command. For much more
       information --verbose=2 may be used.

       Display what version of the applet is running on the YubiKey Neo:

          yubico-piv-tool -a version

       Generate a new ECC-P256 key on device in slot 9a, will print the public key on stdout:

          yubico-piv-tool -s 9a -A ECCP256 -a generate

       Generate a certificate request with public key from stdin, will print the resulting request on stdout:

          yubico-piv-tool -s 9a -S '/CN=foo/OU=test/O=example.com/' -P 123456 \
            -a verify -a request

       Generate a self-signed certificate with public key from stdin, will  print  the  certificate,  for  later
       import, on stdout:

          yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 \
            -a verify -a selfsign

       Import a certificate from stdin:

          yubico-piv-tool -s 9a -a import-certificate

       Set  a  random  chuid,  import a key and import a certificate from a PKCS12 file with password test, into
       slot 9c:

          yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \
            -a import-key -a import-cert

       Import a certificate which is larger than 2048 bytes and thus requires compression in order to fit:

         openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
         yubico-piv-tool -s 9c -i der.gz -K GZIP -a import-cert

       Change the management key used for administrative authentication:

          yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \
            -a set-mgm-key

       Delete a certificate in slot 9a:

         yubico-piv-tool -a delete-certificate -s 9a

       Show some information on certificates and other data:

         yubico-piv-tool -a status

       Read out the certificate from a slot and then run a signature test:

         yubico-piv-tool -a read-cert -s 9a
         yubico-piv-tool -a verify-pin -P 123456 -a test-signature -s 9a