p11tool(1) Manipulate PKCS #11 tokens.

SYNOPSIS

p11tool [options]

DESCRIPTION

Export/import data from PKCS #11 tokens. To use PKCS #11 tokens with gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form "load=/usr/lib/opensc-pkcs11.so".

OPTIONS

Program control options

-d, --debug LEVEL
Specify the debug level. Default is 1.
-h, --help
Shows this help text

Generic options

--login
Force login to the token for the intended operation.
--provider MODULE
In addition to /etc/gnutls/pkcs11.conf, load the specified module.
--outfile FILE
Print output to FILE.
--inder, --inraw
Input is DER formatted.

Getting information on available X.509 certificates

--list-tokens
Prints all available tokens.
--initialize URL
Initializes (formats) the specified by the URL token. Note that several tokens do not support this fascility.

Getting information on available X.509 certificates

--list-all-certs
Prints all available certificates.
--list-certs
Prints all certificates that have a corresponding private key stored in the token.
--list-trusted
Prints all certificates that have been marked as trusted.

Getting information on private keys

--list-privkeys
Prints all available private keys.

Handling generic objects

--export URL
Exports the object (e.g. certificate) specified by the URL.
--delete URL
Deletes the object specified by the URL. Note that several tokens do not support deletion.
--detailed-url
When printing URLs print them in a detailed (to the PKCS #11 module used) form.
--no-detailed-url
When printing URLs, do not print details on the module used.

Storing objects

--write URL
Flag to set when writing an object. Requires one of --load-privkey, --load-pubkey, --load-certificate or --secret-key options.
--load-privkey
Load a private key for the write operations.
--load-pubkey
Load an X.509 subjectPublicKey for the write operation.
--load-certificate
Load an X.509 certificate for the write operation.
--secret-key
Specify a hex encoded secret key for the write operation.
--trusted
The object stored will be marked as trusted.
--label
The label of the object stored.

Controlling output

-8, --pkcs8
Use PKCS #8 format for private keys.

EXAMPLES

To store a private key and certificate, run:

$ p11tool --login --write "pkcs11:XXX"  --load-privkey key.pem --label "MyKey"
$ p11tool --login --write "pkcs11:XXX"  --load-certificate cert.pem --label "MyCert"

To view all objects in a token, use:

$ p11tool --login --list-all 

AUTHOR

Nikos Mavrogiannopoulos <[email protected]> and others; see /usr/share/doc/gnutls-bin/AUTHORS for a complete list.