yubico-piv-tool [OPTION]…
-h, --help
|
Print help and exit |
--full-help
|
Print help, including hidden options, and exit |
-V, --version
|
Print version and exit |
-v, --verbose[=INT]
|
Print more information (default=‘0’) |
-r, --reader=STRING
|
Only use a matching reader (default=‘Yubikey’) |
-k, --key[=STRING]
|
Management key to use, if no value is specified key will be asked for (default=‘010203040506070801020304050607080102030405060708’) |
-a, --action=ENUM
|
Action to take (possible values="version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "verify-bio", "change-pin", "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher", "list-readers", "set-ccc", "write-object", "read-object", "attest", "move-key", "delete-key") |
Multiple actions may be given at once and will be executed in order for example --action=verify-pin --action=request-certificate
-s, --slot=ENUM
|
What key slot to operate on (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9") |
9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired Key Management f9 is for Attestation
--to-slot=ENUM
|
What slot to move an existing key to (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9") |
9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired Key Management f9 is for Attestation
-A, --algorithm=ENUM
|
What algorithm to use (possible values="RSA1024", "RSA2048", "RSA3072", "RSA4096", "ECCP256", "ECCP384", "ED25519", "X25519" default=‘RSA2048’) |
-H, --hash=ENUM
|
Hash to use for signatures (possible values="SHA1", "SHA256", "SHA384", "SHA512" default=‘SHA256’) |
-n, --new-key=STRING
|
New management key to use for action set-mgm-key, if omitted key will be asked for |
--pin-retries=INT
|
Number of retries before the pin code is blocked |
--puk-retries=INT
|
Number of retries before the puk code is blocked |
-i, --input=STRING
|
Filename to use as input, - for stdin (default=‘-’) |
-o, --output=STRING
|
Filename to use as output, - for stdout (default=‘-’) |
-K, --key-format=ENUM
|
Format of the key being read/written (possible values="PEM", "PKCS12", "GZIP", "DER", "SSH" default=‘PEM’) |
--compress
|
Compress a large certificate using GZIP before import (default=off) |
--global
|
Reset the whole device over all protocols (default=off) |
-p, --password=STRING
|
Password for decryption of private key file, if omitted password will be asked for |
-S, --subject=STRING
|
The subject to use for certificate request |
The subject must be written as: /CN=host.example.com/OU=test/O=example.com/
--serial=INT
|
Serial number of the self-signed certificate |
--valid-days=INT
|
Time (in days) until the self-signed certificate expires (default=‘365’) |
-P, --pin=STRING
|
Pin/puk code for verification, if omitted pin/puk will be asked for |
-N, --new-pin=STRING
|
New pin/puk code for changing, if omitted pin/puk will be asked for |
--pin-policy=ENUM
|
Set pin policy for action generate or import-key. Only available on YubiKey 4 or newer (possible values="never", "once", "always", "matchonce", "matchalways") |
--touch-policy=ENUM
|
Set touch policy for action generate, import-key or set-mgm-key. Only available on YubiKey 4 or newer (possible values="never", "always", "cached") |
--id=INT
|
Id of object for write/read object |
-f, --format=ENUM
|
Format of data for write/read object (possible values="hex", "base64", "binary" default=‘hex’) |
--attestation
|
Add attestation cross-signature (default=off) |
-m, --new-key-algo=ENUM
|
New management key algorithm to use for action set-mgm-key (possible values="TDES", "AES128", "AES192", "AES256" default=‘TDES’) |
--scp11
|
Use encrypted communication in accordance with Secure Channel Protocol 11 (SCP11b) (default=off) |
For more information about what’s happening --verbose can be added to any command. For much more information --verbose=2 may be used.
Display what version of the application is running on the YubiKey:
yubico-piv-tool -aversion
Generate a new ECC-P256 key on device in slot 9a, will print the public key on stdout:
yubico-piv-tool -s9a -AECCP256 -agenerate
Generate a certificate request with public key from stdin, will print the resulting request on stdout:
yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify \ -arequest
Generate a self-signed certificate with public key from stdin, will print the certificate, for later import, on stdout:
yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify \ -aselfsign
Import a certificate from stdin:
yubico-piv-tool -s9a -aimport-certificate
Set a random chuid, import a key and import a certificate from a PKCS12 file, into slot 9c:
yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid \ -aimport-key -aimport-cert
Import a certificate which is larger than 2048 bytes and thus requires compression in order to fit:
openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz yubico-piv-tool -s9c -ider.gz -KGZIP -aimport-cert
Import a certificate which is larger than 2048 bytes and have the yubico-piv-tool do the GZIP compression in order to fit:
yubico-piv-tool -s9c -icert.pem --compress -aimport-cert
Change the management key used for administrative authentication:
yubico-piv-tool -aset-mgm-key
Delete a certificate in slot 9a, with management key being asked for:
yubico-piv-tool -adelete-certificate -s9a -k
Show some information on certificates and other data:
yubico-piv-tool -astatus
Read out the certificate from a slot and then run a signature test:
yubico-piv-tool -aread-cert -s9a yubico-piv-tool -averify-pin -atest-signature -s9a
Import a key into slot 85 (only available on YubiKey 4) and set the touch policy (also only available on YubiKey 4):
yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem