Previous: Using a PKCS11 token with TLS, Up: Smart cards and HSMs   [Contents][Index]


6.7.5 Invoking p11tool

Program that allows handling data from PKCS #11 smart cards and security modules.

To use PKCS #11 tokens with gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form ’load=/usr/lib/opensc-pkcs11.so’.

This section was generated by AutoGen, using the agtexi-cmd template and the option descriptions for the p11tool program. This software is released under the GNU General Public License, version 3 or later.

p11tool help/usage (-h)

This is the automatically generated usage text for p11tool. The text printed is the same whether for the help option (-h) or the more-help option (-!). more-help will print the usage text by passing it through a pager program. more-help is disabled on platforms without a working fork(2) function. The PAGER environment variable is used to select the program, defaulting to ‘more’. Both will exit with a status code of 0.

p11tool - GnuTLS PKCS #11 tool - Ver. @VERSION@
USAGE:  p11tool [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [url]

   -d, --debug=num            Enable debugging.
                                - It must be in the range:
                                  0 to 9999
       --outfile=str          Output file
       --list-tokens          List all available tokens
       --export               Export the object specified by the URL
       --list-mechanisms      List all available mechanisms in a token
       --list-all             List all available objects in a token
       --list-all-certs       List all available certificates in a token
       --list-certs           List all certificates that have an associated private key
       --list-all-privkeys    List all available private keys in a token
       --list-all-trusted     List all available certificates marked as trusted
       --initialize           Initializes a PKCS #11 token
       --write                Writes the loaded objects to a PKCS #11 token
       --delete               Deletes the objects matching the PKCS #11 URL
       --generate-rsa         Generate an RSA private-public key pair
       --generate-dsa         Generate an RSA private-public key pair
       --generate-ecc         Generate an RSA private-public key pair
       --label=str            Sets a label for the write operation
       --trusted              Marks the object to be written as trusted
                                - disabled as --no-trusted
       --private              Marks the object to be written as private
                                - disabled as --no-private
                                - enabled by default
       --login                Force login to token
                                - disabled as --no-login
       --detailed-url         Print detailed URLs
                                - disabled as --no-detailed-url
       --secret-key=str       Provide a hex encoded secret key
       --load-privkey=file    Private key file to use
                                - file must pre-exist
       --load-pubkey=file     Public key file to use
                                - file must pre-exist
       --load-certificate=file Certificate file to use
                                - file must pre-exist
   -8, --pkcs8                Use PKCS #8 format for private keys
       --bits=num             Specify the number of bits for key generate
       --sec-param=str        Specify the security level
       --inder                Use DER/RAW format for input
                                - disabled as --no-inder
       --inraw                This is an alias for 'inder'
       --provider=file        Specify the PKCS #11 provider library
                                - file must pre-exist
   -v, --version[=arg]        Output version information and exit
   -h, --help                 Display extended usage information and exit
   -!, --more-help            Extended usage information passed thru pager

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
Operands and options may be intermixed.  They will be reordered.



Program that allows handling data from PKCS #11 smart cards and security
modules.

To use PKCS #11 tokens with gnutls the configuration file
/etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the
form 'load=/usr/lib/opensc-pkcs11.so'.

please send bug reports to:  bug-gnutls@gnu.org

debug option (-d)

This is the “enable debugging.” option. This option takes an argument number. Specifies the debug level.

write option

This is the “writes the loaded objects to a pkcs #11 token” option. It can be used to write private keys, certificates or secret keys to a token.

generate-rsa option

This is the “generate an rsa private-public key pair” option. Generates an RSA private-public key pair on the specified token.

generate-dsa option

This is the “generate an rsa private-public key pair” option. Generates an RSA private-public key pair on the specified token.

generate-ecc option

This is the “generate an rsa private-public key pair” option. Generates an RSA private-public key pair on the specified token.

private option

This is the “marks the object to be written as private” option.

This option has some usage constraints. It:

The written object will require a PIN to be used.

sec-param option

This is the “specify the security level” option. This option takes an argument string ‘Security parameter’. This is alternative to the bits option. Available options are [low, legacy, normal, high, ultra].

inder option

This is the “use der/raw format for input” option. Use DER/RAW format for input certificates and private keys.

inraw option

This is an alias for the inder option, see the inder option documentation.

provider option

This is the “specify the pkcs #11 provider library” option. This option takes an argument file. This will override the default options in /etc/gnutls/pkcs11.conf

p11tool exit status

One of the following exit values will be returned:

0 (EXIT_SUCCESS)

Successful program execution.

1 (EXIT_FAILURE)

The operation failed or the command syntax was not valid.

p11tool See Also

certtool (1)

p11tool Examples

To view all tokens in your system use:

$ p11tool --list-tokens

To view all objects in a token use:

$ p11tool --login --list-all "pkcs11:TOKEN-URL"

To store a private key and a certificate in a token run:

$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \
          --label "Mykey"
$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \
          --label "Mykey"

Note that some tokens require the same label to be used for the certificate and its corresponding private key.


Previous: Using a PKCS11 token with TLS, Up: Smart cards and HSMs   [Contents][Index]