1
.TH p11tool 1 "November 11th 2010"
3
p11tool \- Manipulate PKCS #11 tokens.
5
p11tool [\fIoptions\fR]
7
Export/import data from PKCS #11 tokens. To use PKCS #11 tokens with
8
gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and
9
contain a number of lines of the form "load=/usr/lib/opensc-pkcs11.so".
11
.SS Program control options
12
.IP "\-d, \-\-debug LEVEL"
13
Specify the debug level. Default is 1.
19
Force login to the token for the intended operation.
20
.IP "\-\-provider MODULE"
21
In addition to /etc/gnutls/pkcs11.conf, load the specified module.
22
.IP "\-\-outfile FILE"
24
.IP "\-\-inder, \-\-inraw"
25
Input is DER formatted.
27
.SS Getting information on available X.509 certificates
28
.IP "\-\-list\-tokens"
29
Prints all available tokens.
30
.IP "\-\-initialize URL"
31
Initializes (formats) the specified by the URL token. Note that
32
several tokens do not support this fascility.
34
.SS Getting information on available X.509 certificates
35
.IP "\-\-list\-all\-certs"
36
Prints all available certificates.
38
Prints all certificates that have a corresponding private key stored in the token.
39
.IP "\-\-list\-trusted"
40
Prints all certificates that have been marked as trusted.
42
.SS Getting information on private keys
43
.IP "\-\-list\-privkeys"
44
Prints all available private keys.
46
.SS Handling generic objects
48
Exports the object (e.g. certificate) specified by the URL.
50
Deletes the object specified by the URL. Note that several tokens do not
52
.IP "\-\-detailed\-url"
53
When printing URLs print them in a detailed (to the PKCS #11 module used)
55
.IP "\-\-no\-detailed\-url"
56
When printing URLs, do not print details on the module used.
60
Flag to set when writing an object. Requires one of \-\-load\-privkey, \-\-load\-pubkey,
61
\-\-load\-certificate or \-\-secret\-key options.
62
.IP "\-\-load\-privkey"
63
Load a private key for the write operations.
64
.IP "\-\-load\-pubkey"
65
Load an X.509 subjectPublicKey for the write operation.
66
.IP "\-\-load\-certificate"
67
Load an X.509 certificate for the write operation.
69
Specify a hex encoded secret key for the write operation.
71
The object stored will be marked as trusted.
73
The label of the object stored.
75
.SS Controlling output
77
Use PKCS #8 format for private keys.
80
To store a private key and certificate, run:
84
$ p11tool \-\-login \-\-write "pkcs11:XXX" \-\-load\-privkey key.pem \-\-label "MyKey"
85
$ p11tool \-\-login \-\-write "pkcs11:XXX" \-\-load\-certificate cert.pem \-\-label "MyCert"
89
To view all objects in a token, use:
93
$ p11tool \-\-login \-\-list\-all
99
Nikos Mavrogiannopoulos <nmav@gnutls.org> and others; see
100
/usr/share/doc/gnutls\-bin/AUTHORS for a complete list.