1 AutoGen Definitions options
;
3 prog
-title
= "GnuTLS PKCS #11 tool";
4 prog
-desc
= "Program to handle PKCS #11 smart cards and security modules.\n";
5 detail
= "Program that allows handling data from PKCS #11 smart cards
8 To use PKCS #11 tokens with gnutls the configuration file
9 /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form 'load=/usr/lib/opensc-pkcs11.so'.
12 short
-usage
= "p11tool [options] [url]\np11tool --help for usage instructions.\n";
22 descrip
= "List all available tokens";
28 descrip
= "Export the object specified by the URL";
33 name
= list
-mechanisms
;
34 descrip
= "List all available mechanisms in a token";
40 descrip
= "List all available objects in a token";
45 name
= list
-all
-certs
;
46 descrip
= "List all available certificates in a token";
52 descrip
= "List all certificates that have an associated private key";
57 name
= list
-all
-privkeys
;
58 descrip
= "List all available private keys in a token";
63 name
= list
-all
-trusted
;
64 descrip
= "List all available certificates marked as trusted";
70 descrip
= "Initializes a PKCS #11 token";
76 descrip
= "Writes the loaded objects to a PKCS #11 token";
77 doc
= "It can be used to write private keys, certificates or secret keys to a token.";
82 descrip
= "Deletes the objects matching the PKCS #11 URL";
88 descrip
= "Generate an RSA private-public key pair";
89 doc
= "Generates an RSA private-public key pair on the specified token.";
94 descrip
= "Generate an RSA private-public key pair";
95 doc
= "Generates an RSA private-public key pair on the specified token.";
99 descrip
= "Generate an RSA private-public key pair";
100 doc
= "Generates an RSA private-public key pair on the specified token.";
106 descrip
= "Sets a label for the write operation";
114 descrip
= "Marks the object to be written as trusted";
122 descrip
= "Marks the object to be written as private";
123 doc
= "The written object will require a PIN to be used.";
128 descrip
= "Force login to token";
136 descrip
= "Print detailed URLs";
145 descrip
= "Provide a hex encoded secret key";
153 descrip
= "Private key file to use";
161 descrip
= "Public key file to use";
166 name
= load
-certificate
;
169 descrip
= "Certificate file to use";
176 descrip
= "Use PKCS #8 format for private keys";
183 descrip
= "Specify the number of bits for key generate";
190 arg
-name
= "Security parameter";
191 descrip
= "Specify the security level";
192 doc
= "This is alternative to the bits option. Available options are [low, legacy, normal, high, ultra].";
198 descrip
= "Use DER/RAW format for input";
201 doc
= "Use DER/RAW format for input certificates and private keys.";
213 descrip
= "Specify the PKCS #11 provider library";
214 doc
= "This will override the default options in /etc/gnutls/pkcs11.conf";
219 ds
-type
= 'SEE ALSO';
227 ds
-type
= 'EXAMPLES';
230 To view all tokens in your system use
:
232 $ p11tool
--list
-tokens
235 To view all objects in a token use
:
237 $ p11tool
--login
--list
-all
"pkcs11:TOKEN-URL"
240 To store a private key and a certificate in a token run
:
242 $ p11tool
--login
--write
"pkcs11:URL" --load
-privkey key.pem \
244 $ p11tool
--login
--write
"pkcs11:URL" --load
-certificate cert.pem \
247 Note that some tokens require the same label to be used for the certificate
248 and its corresponding private key.
250 To generate an RSA private key inside the token use
:
252 $ p11tool
--login
--generate
-rsa
--bits
1024 --label
"MyNewKey" \
253 --outfile MyNewKey.pub
"pkcs11:TOKEN-URL"
255 The bits parameter in the above example is explicitly set because some
256 tokens only support a limited number of bits. The output file is the
257 corresponding public key. This key can be used to general a certificate
258 request with certtool.
260 certtool
--generate
-request
--load
-privkey
"pkcs11:KEY-URL" \
261 --load
-pubkey MyNewKey.pub
--outfile request.pem