Man page - yubico-piv-tool(1)

Packages contains this manual

Package:  yubico-piv-tool
apt-get install yubico-piv-tool

Manuals in package:
• yubico-piv-tool(1)
Documentations in package:
• yubico-piv-tool

Manual

YUBICO-PIV-TOOL

NAME
SYNOPSIS
DESCRIPTION

---

NAME

yubico-piv-tool - Tool for managing Personal Identity Verification credentials on Yubikeys

SYNOPSIS

yubico-piv-tool [ OPTION ]...

DESCRIPTION

-h , --help

Print help and exit

--full-help

Print help, including hidden options, and exit

-V , --version

Print version and exit

-v , --verbose [= INT ]

Print more information (default=‘0’)

-r , --reader = STRING

Only use a matching reader (default=‘Yubikey’)

-k , --key [= STRING ]

Management key to use, if no value is specified key will be asked for (default=‘010203040506070801020304050607080102030405060708’)

-a , --action = ENUM

Action to take (possible values="version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "verify-bio", "change-pin", "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher", "list-readers", "set-ccc", "write-object", "read-object", "attest", "move-key", "delete-key")

Multiple actions may be given at once and will be executed in order for example --action = verify-pin --action = request-certificate

-s , --slot = ENUM

What key slot to operate on (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9")

9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired Key Management f9 is for Attestation

--to-slot = ENUM

What slot to move an existing key to (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9")

9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired Key Management f9 is for Attestation

-A , --algorithm = ENUM

What algorithm to use (possible values="RSA1024", "RSA2048", "RSA3072", "RSA4096", "ECCP256", "ECCP384", "ED25519", "X25519" default=‘RSA2048’)

-H , --hash = ENUM

Hash to use for signatures (possible values="SHA1", "SHA256", "SHA384", "SHA512" default=‘SHA256’)

-n , --new-key = STRING

New management key to use for action set-mgm-key, if omitted key will be asked for

--pin-retries = INT

Number of retries before the pin code is blocked

--puk-retries = INT

Number of retries before the puk code is blocked

-i , --input = STRING

Filename to use as input, - for stdin (default=‘-’)

-o , --output = STRING

Filename to use as output, - for stdout (default=‘-’)

-K , --key-format = ENUM

Format of the key being read/written (possible values="PEM", "PKCS12", "GZIP", "DER", "SSH" default=‘PEM’)

--compress

Compress a large certificate using GZIP before import (default=off)

--global

Reset the whole device over all applications (default=off)

-p , --password = STRING

Password for decryption of private key file, if omitted password will be asked for

-S , --subject = STRING

The subject to use for certificate request

The subject must be written as: /CN=host.example.com/OU=test/O=example.com/

--serial = INT

Serial number of the self-signed certificate

--valid-days = INT

Time (in days) until the self-signed certificate expires (default=‘365’)

-P , --pin = STRING

Pin/puk code for verification, if omitted pin/puk will be asked for

-N , --new-pin = STRING

New pin/puk code for changing, if omitted pin/puk will be asked for

--pin-policy = ENUM

Set pin policy for action generate or import-key. Only available on YubiKey 4 or newer (possible values="never", "once", "always", "matchonce", "matchalways")

--touch-policy = ENUM

Set touch policy for action generate, import-key or set-mgm-key. Only available on YubiKey 4 or newer (possible values="never", "always", "cached")

--id = INT

Id of object for write/read object

-f , --format = ENUM

Format of data for write/read object (possible values="hex", "base64", "binary" default=‘hex’)

--attestation

Add attestation cross-signature (default=off)

-m , --new-key-algo = ENUM

New management key algorithm to use for action set-mgm-key (possible values="TDES", "AES128", "AES192", "AES256" default=‘TDES’)

--scp11

Use encrypted communication as specified by Secure Channel Protocol 11 (SCP11b) (default=off)

---