SYNOPSIS
p11tool [options]DESCRIPTION
Export/import data from PKCS #11 tokens. To use PKCS #11 tokens with gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form "load=/usr/lib/opensc-pkcs11.so".OPTIONS
Program control options
- -d, --debug LEVEL
- Specify the debug level. Default is 1.
- -h, --help
-
Shows this help text
Generic options
- --login
- Force login to the token for the intended operation.
- --provider MODULE
- In addition to /etc/gnutls/pkcs11.conf, load the specified module.
- --outfile FILE
- Print output to FILE.
- --inder, --inraw
-
Input is DER formatted.
Getting information on available X.509 certificates
- --list-tokens
- Prints all available tokens.
- --initialize URL
-
Initializes (formats) the specified by the URL token. Note that
several tokens do not support this fascility.
Getting information on available X.509 certificates
- --list-all-certs
- Prints all available certificates.
- --list-certs
- Prints all certificates that have a corresponding private key stored in the token.
- --list-trusted
-
Prints all certificates that have been marked as trusted.
Getting information on private keys
- --list-privkeys
-
Prints all available private keys.
Handling generic objects
- --export URL
- Exports the object (e.g. certificate) specified by the URL.
- --delete URL
- Deletes the object specified by the URL. Note that several tokens do not support deletion.
- --detailed-url
- When printing URLs print them in a detailed (to the PKCS #11 module used) form.
- --no-detailed-url
-
When printing URLs, do not print details on the module used.
Storing objects
- --write URL
- Flag to set when writing an object. Requires one of --load-privkey, --load-pubkey, --load-certificate or --secret-key options.
- --load-privkey
- Load a private key for the write operations.
- --load-pubkey
- Load an X.509 subjectPublicKey for the write operation.
- --load-certificate
- Load an X.509 certificate for the write operation.
- --secret-key
- Specify a hex encoded secret key for the write operation.
- --trusted
- The object stored will be marked as trusted.
- --label
-
The label of the object stored.
Controlling output
- -8, --pkcs8
-
Use PKCS #8 format for private keys.
EXAMPLES
To store a private key and certificate, run:
-
$ p11tool --login --write "pkcs11:XXX" --load-privkey key.pem --label "MyKey" $ p11tool --login --write "pkcs11:XXX" --load-certificate cert.pem --label "MyCert"
To view all objects in a token, use:
-
$ p11tool --login --list-all
AUTHOR
Nikos Mavrogiannopoulos <[email protected]> and others; see /usr/share/doc/gnutls-bin/AUTHORS for a complete list.