SYNOPSIS

DESCRIPTION

-h, --help

Print help and exit

--full-help

Print help, including hidden options, and exit

-V, --version

Print version and exit

-v, --verbose[=INT]

Print more information (default=`0')

-r, --reader=STRING

Only use a matching reader (default=`Yubikey')

-k, --key=STRING

Authentication key to use (default=`010203040506070801020304050607080102030405060708')

-a, --action=ENUM

Action to take (possible values="version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "change-pin", "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher")

Multiple actions may be given at once and will be executed in order for example --action=verify-pin --action=request-certificate

-s, --slot=ENUM

What key slot to operate on (possible values="9a", "9c", "9d", "9e")

9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked)

-A, --algorithm=ENUM

What algorithm to use (possible values="RSA1024", "RSA2048", "ECCP256" default=`RSA2048')

-H, --hash=ENUM

Hash to use for signatures (possible values="SHA1", "SHA256", "SHA512" default=`SHA256')

-n, --new-key=STRING

New authentication key to use

--pin-retries=INT

Number of retries before the pin code is blocked

--puk-retries=INT

Number of retries before the puk code is blocked

-i, --input=STRING

Filename to use as input, - for stdin (default=`-')

-o, --output=STRING

Filename to use as output, - for stdout (default=`-')

-K, --key-format=ENUM

Format of the key being read/written (possible values="PEM", "PKCS12", "GZIP", "DER" default=`PEM')

-p, --password=STRING

Password for decryption of private key file

-S, --subject=STRING

The subject to use for certificate request

The subject must be written as: /CN=host.example.com/OU=test/O=example.com/

-P, --pin=STRING

Pin/puk code for verification

-N, --new-pin=STRING

New pin/puk code for changing

EXAMPLES

For more information about what's happening --verbose can be added to any command. For much more information --verbose=2 may be used.

Display what version of the applet is running on the YubiKey Neo:

   yubico-piv-tool -a version

Generate a new ECC-P256 key on device in slot 9a, will print the public key on stdout:

   yubico-piv-tool -s 9a -A ECCP256 -a generate

Generate a certificate request with public key from stdin, will print the resulting request on stdout:

   yubico-piv-tool -s 9a -S '/CN=foo/OU=test/O=example.com/' -P 123456 \
     -a verify -a request

Generate a self-signed certificate with public key from stdin, will print the certificate, for later import, on stdout:

   yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 \
     -a verify -a selfsign

Import a certificate from stdin:

   yubico-piv-tool -s 9a -a import-certificate

Set a random chuid, import a key and import a certificate from a PKCS12 file with password test, into slot 9c:

   yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \
     -a import-key -a import-cert

Import a certificate which is larger than 2048 bytes and thus requires compression in order to fit:

  openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
  yubico-piv-tool -s 9c -i der.gz -K GZIP -a import-cert

Change the management key used for administrative authentication:

   yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \
     -a set-mgm-key

Delete a certificate in slot 9a:

  yubico-piv-tool -a delete-certificate -s 9a

Show some information on certificates and other data:

  yubico-piv-tool -a status

Read out the certificate from a slot and then run a signature test:

  yubico-piv-tool -a read-cert -s 9a
  yubico-piv-tool -a verify-pin -P 123456 -a test-signature -s 9a