OpenSC Manual Pages: Section 1

Use the card driver specified by name. The default is to auto-detect the correct card driver.

Format the card or token.

Print help message on screen.

Display information about the card or token.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Specify startkey for format.

Change Startkey with given APDU command.

Causes cardos-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Causes cardos-tool to wait for the token to be inserted into reader.

Specifies the DF to operate in

Creates new RSA key files for arg keys

Creates new PIN file for CHVid

Specifies the RSA exponent, exp, to use in key generation. The default value is 3.

Generate a new RSA key pair

Specifies the key number to operate on. The default is key number 1.

Lists all keys stored in a public key file

Specifies the modulus length to use in key generation. The default value is 1024.

Specifies the private key file id, id, to use

Specifies the public key file id, id, to use

Reads a public key from the card, allowing the user to extract and store or use the public key

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Causes cryptoflex-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Verifies CHV1 before issuing commands

Causes cryptoflex-tool to wait for a card insertion.

Show the DNIe IDESP value.

Show DNIe personal information. Reads and print DNIe number and User Name and SurName

Displays every available information. This command is equivalent to -d -i -s

Displays DNIe Serial Number

Show DNIe sw version. Displays software version for in-card DNIe OS

Specify the user pin pin to use. If set to env:VARIABLE, the value of the environment variable VARIABLE is used. The default is do not enter pin

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Specify the card driver driver to use. Default is use driver from configuration file, or auto-detect if absent

Causes dnie-tool to wait for the token to be inserted into reader.

Causes dnie-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Print help and exit.

Print version and exit.

Specify the reader to use. Use -1 as arg to automatically detect the reader to use. By default, the first reader with a present card is used.

Causes egk-tool to be more verbose. Specify this flag several times to be more verbose.

Executes the given program with data in environment variables.

Print help message on screen.

Prints all data fields from the card, like validity period, document number etc.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Prints key usage statistics (only for Estonian ID card).

Prints the version of the utility and exits.

Wait for a card to be inserted

Initialize token.

Define the administrator key

Define user PIN.

Define serial number.

Unblock the user PIN after an administrator authentication.

Change the administrator key.

Define the new administrator key.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Wait for a card to be inserted.

Verbose operation. Use several times to enable debug output.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Get list of the on-card applications.

Select hex-aid before processing.

List SDOs of the given sdo-type, present in default or selected application.

Causes cardos-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Causes iasecc-tool to wait for the token to be inserted into reader.

Displays a short help message.

Specifies the current value of the global PIN.

Specifies the current value of the global PUK.

Specifies the current value of the local PIN0 (aka local PIN).

Specifies the current value of the local PIN1 (aka local PUK).

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity.

This command will read one of your cards certificates (as specified by number) and save this certificate into file filename in PEM-format. Certificates on a NetKey E4 card are readable without a pin, so you don't have to specify one.

This command will read the first PEM-encoded certificate from file filename and store this into your smart cards certificate file number. Some of your smart cards certificate files might be readonly, so this will not work with all values of number. If a certificate file is writable you must specify a pin in order to change it. If you try to use this command without specifying a pin, netkey-tool will tell you which one is needed.

This changes the value of the specified pin to the given new value. You must specify either the current value of the pin or another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.

This command can be executed only if the global PIN of your card is in nullpin-state. There's no way to return back to nullpin-state once you have changed your global PIN. You don't need a pin to execute the nullpin-command. After a successful nullpin-command netkey-tool will display your cards initial PUK-value.

This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.

Print help and exit.

Print version and exit.

Specify the reader to use. Use -1 as arg to automatically detect the reader to use. By default, the first reader with a present card is used.

Causes npa-tool to be more verbose. Specify this flag several times to be more verbose.

Delete key indicated by arg. arg can be 1, 2, 3, or all.

Dump private data object (DO) indicated by arg. arg can be in the form x, 10x, or 010x to access DO 010x, where x is 1, 2, 3, or 4.

Erase (i.e. reset) the card.

Execute the given program with data in environment variables.

Generate key with the ID given as arg. arg can be one of 1, 2, or 3.

Print help message on screen.

Specify the length of the key to be generated. If not given, it defaults to 2048 bit.

The PIN text to verify. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

Print values in pretty format.

Print values in raw format, as they are stored on the card.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Show card holder information.

Verify PIN (CHV1, CHV2 or CHV3).

Print the version of the utility and exit.

Verbose operation. Use several times to enable debug output.

Wait for a card to be inserted.

Print help and exit.

Print version and exit.

Use the given card driver. The default is auto-detected.

Select the file referenced by the given path on startup. The default is the path to the standard master file, 3F00. If path is empty (e.g. opensc-explorer --mf ""), then no file is explicitly selected.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Causes opensc-explorer to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Wait for a card to be inserted

Send a custom APDU command hex-data.

Parse and print the ASN.1 encoded content of the file specified by file-id.

Print the contents of the currently selected EF or the contents of a file specified by file-id or the short file id short-id.

Change to another DF specified by the argument passed. If the argument given is .., then move up one level in the file system hierarchy. If it is file-id, which must be a DF directly beneath the current DF, then change to that DF. If it is an application identifier given as aid:DF-name, then jump to the MF of the application denoted by DF-name.

Change a PIN, where pin-ref is the PIN reference.

Examples:

Create a new EF. file-id specifies the id number and size is the size of the new file.

Set OpenSC debug level to level.

If level is omitted the current debug level will be shown.

Remove the EF or DF specified by file-id

Copy the internal card's 'tagged' data into the local file.

The local file is specified by output while the tag of the card's data is specified by hex-tag.

If output is omitted, the name of the output file will be derived from hex-tag.

Update internal card's 'tagged' data.

hex-tag is the tag of the card's data. input is the filename of the source file or the literal data presented as a sequence of hexadecimal values or " enclosed string.

Print the strings given.

Erase the card, if the card supports it.

Copy an EF to a local file. The local file is specified by output while the card file is specified by file-id.

If output is omitted, the name of the output file will be derived from the full card path to file-id.

Display attributes of a file specified by file-id. If file-id is not supplied, the attributes of the current file are printed.

List files in the current DF. If no pattern is given, then all files are listed. If one ore more patterns are given, only files matching at least one pattern are listed.

Find all files in the current DF. Files are found by selecting all file identifiers in the range from start-fid to end-fid (by default from 0000 to FFFF).

Find all tags of data objects in the current context. Tags are found by using GET DATA in the range from start-tag to end-tag (by default from 0000 to FFFF).

Create a DF. file-id specifies the id number and size is the size of the new file.

Copy a local file to the card. The local file is specified by input while the card file is specified by file-id.

Exit the program.

Generate random sequence of count bytes.

Remove the EF or DF specified by file-id

Unblock the PIN denoted by pin-ref using the PUK puk, and set potentially change its value to new-pin.

PUK and PIN values can be a sequence of hexadecimal values, "-enclosed strings, empty (""), or absent. If they are absent, the values are read from the card reader's pin pad.

Examples:

Binary update of the file specified by file-id with the literal data data starting from offset specified by offs.

data can be supplied as a sequencer of the hex values or as a " enclosed string.

Update record specified by rec-nr of the file specified by file-id with the literal data data starting from offset specified by rec-offs.

data can be supplied as a sequence of the hex values or as a " enclosed string.

Present a PIN or key to the card, where key-type can be one of CHV, KEY, AUT or PRO. key-id is a number representing the key or PIN reference. key is the key or PIN to be verified, formatted as a colon-separated list of hex values or a " enclosed string.

If key is omitted, the exact action depends on the card reader's features: if the card readers supports PIN input via a pin pad, then the PIN will be verified using the card reader's pin pad. If the card reader does not support PIN input, then the PIN will be asked interactively.

Examples:

Calls the card's open or close Secure Messaging handler.

Print help and exit.

Print version and exit.

Print the OpenSC package release version.

Print the Answer To Reset (ATR) of the card. Output is in hex byte format

Use the given card driver. The default is auto-detected.

Lists algorithms supported by card

Print information about OpenSC, such as version and enabled components.

List all installed card drivers.

Recursively list all files stored on card.

List all configured readers.

Print the name of the inserted card (driver).

Get configuration key, format: section:name:key

Get configuration key, format: section:name:key:value

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Resets the card in reader. The default reset type is cold, but warm reset is also possible.

Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF....

Print the card serial number (normally the ICCSN). Output is in hex byte format

Causes opensc-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Wait for a card to be inserted.

Print the card serial number derived from the CHUID object, if any. Output is in hex byte format.

Print the name of the inserted card (driver)

Authenticate to the card using a 2DES or 3DES key. The argument of the form

 {A|M}:ref:alg

is required, were A uses "EXTERNAL AUTHENTICATION" and M uses "MUTUAL AUTHENTICATION". ref is normally 9B, and alg is 03 for 3DES. The key is provided by the card vendor, and the environment variable PIV_EXT_AUTH_KEY must point to a text file containing the key in the format: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Generate a key pair on the card and output the public key. The argument of the form

ref:alg

is required, where ref is 9A, 9C, 9D or 9E and alg is 06, 07, 11 or 14 for RSA 1024, RSA 2048, ECC 256 or ECC 384 respectively.

Load an object onto the card. The ContainerID is as defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000

Load a certificate onto the card. ref is 9A, 9C, 9D or 9E

Load a certificate that has been gzipped onto the card. ref is 9A, 9C, 9D or 9E

Output file for any operation that produces output.

Input file for any operation that requires an input file.

Print properties of the key slots. Needs 'admin' authentication.

Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF.... This option may be repeated.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Use the given card driver. The default is auto-detected.

Wait for a card to be inserted

Causes piv-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Extract information from filename (DER-encoded certificate file) and create the corresponding attributes when writing an object to the token. Example: the certificate subject name is used to create the CKA_SUBJECT attribute.

Change the user PIN on the token

Unlock User PIN (without --login unlock in logged in session; otherwise --login-type has to be 'context-specific').

Hash some data.

Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption. Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may also allow "SHA224". Default is "SHA-1".

Note that the input to RSA-PKCS-PSS has to be of the size equal to the specified hash algorithm. E.g., for SHA256 the signature input must be exactly 32 bytes long (for mechanisms SHA256-RSA-PKCS-PSS there is no such restriction). For RSA-OAEP, the plaintext input size mLen must be at most keyLen - 2 - 2*hashLen. For example, for RSA 3072-bit key and SHA384, the longest plaintext to encrypt with RSA-OAEP is (with all sizes in bytes): 384 - 2 - 2*48 = 286, aka 286 bytes.

Specify the id of the object to operate on.

Initializes the user PIN. This option differs from --change-pin in that it sets the user PIN for the first time. Once set, the user PIN can be changed using --change-pin.

Initialize a token: set the token label as well as a Security Officer PIN (the label must be specified using --label).

Specify the path to a file for input.

Generate a new key pair (public and private pair.)

Generate a new key.

Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1.

Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in pubkey).

Specify 'decrypt' key usage flag (RSA only, set DECRYPT privkey, ENCRYPT in pubkey).

Specify 'derive' key usage flag (EC only).

Specify the name of the object to operate on (or the token label when --init-token is used).

Display a list of mechanisms supported by the token.

Display a list of objects.

Display a list of available slots on the token.

List slots with tokens.

Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line.

Specify login type ('so', 'user', 'context-specific'; default:'user').

Use the specified mechanism for token operations. See -M for a list of mechanisms supported by your token. The mechanism can also be specified in hexadecimal, e.g., 0x80001234.

Use the specified Message Generation Function (MGF) function for RSA-PKCS-PSS signatures or RSA-OAEP decryptions. Supported arguments are MGF1-SHA1 to MGF1-SHA512 if supported by the driver. The default is based on the hash selection.

Specify a PKCS#11 module (or library) to load.

Test a Mozilla-like keypair generation and certificate request. Specify the filename to the certificate file.

Specify the path to a file for output.

Use the given pin for token operations. If set to env:VARIABLE, the value of the environment variable VARIABLE is used. WARNING: Be careful using this option as other users may be able to read the command line from the system or if it is embedded in a script. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

This option will also set the --login option.

Supply User PUK on the command line.

Supply new User PIN on the command line.

Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext).

Set the CKA_ID of the object.

Display general token information.

Sign some data.

Decrypt some data.

Derive a secret key using another key and some data.

Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations

Specify how many bytes of salt should be used in RSA-PSS signatures. Accepts two special values: "-1" means salt length equals to digest length, "-2" means use maximum permissible length. Default is digest length (-1).

Specify the id of the slot to use.

Specify the description of the slot to use.

Specify the index of the slot to use.

Specify the label of token. Will be used the first slot, that has the inserted token with this label.

Use the given pin as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc). If set to env:VARIABLE, the value of the environment variable VARIABLE is used. The same warning as --pin also applies here.

Perform some tests on the token. This option is most useful when used with either --login or --pin.

Test hotplug capabilities (C_GetSlotList + C_WaitForSlotEvent).

Set the CKA_PRIVATE attribute (object is only viewable after a login).

Test EC (best used with the --login or --pin option).

Test forking and calling C_Initialize() in the child.

Specify the type of object to operate on. Examples are cert, privkey and pubkey.

Cause pkcs11-tool to be more verbose.

NB! This does not affect OpenSC debugging level! To set OpenSC PKCS#11 module into debug mode, set the OPENSC_DEBUG environment variable to a non-zero number.

Get object's CKA_VALUE attribute (use with --type).

Delete an object.

Specify the application label of the data object (use with --type data).

Specify the application ID of the data object (use with --type data).

Specify the issuer in hexadecimal format (use with --type cert).

Specify the subject in hexadecimal format (use with --type cert/privkey/pubkey).

Format for ECDSA signature: 'rs' (default), 'sequence', 'openssl'.

Write a key or certificate object to the token. filename points to the DER-encoded certificate or key file.

Get num bytes of random data.

Print the OpenSC package release version.

Specify the AID of the on-card PKCS#15 application to bind to. The aid must be in hexadecimal form.

Decrypt the contents of the file specified by the --input option. The result of the decryption operation is written to the file specified by the --output option. If this option is not given, the decrypted data is printed to standard output, displaying non-printable characters using their hex notation xNN (see also --raw).

Specifies the input file to use. Defaults to stdin if not specified.

Selects the ID of the key to use.

Any output will be sent to the specified file. Defaults to stdout if not specified.

When the cryptographic operation requires a PIN to access the key, pkcs15-crypt will prompt the user for the PIN on the terminal. Using this option allows you to specify the PIN on the command line.

Note that on most operating systems, the command line of a process can be displayed by any user using the ps(1) command. It is therefore a security risk to specify secret information such as PINs on the command line. If you specify '-' as PIN, it will be read from STDIN.

By default, pkcs15-crypt assumes that input data has been padded to the correct length (i.e. when computing an RSA signature using a 1024 bit key, the input must be padded to 128 bytes to match the modulus length). When giving the --pkcs1 option, however, pkcs15-crypt will perform the required padding using the algorithm outlined in the PKCS #1 standard version 1.5.

Outputs raw 8 bit data.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

These options tell pkcs15-crypt that the input file is the result of the specified hash operation. By default, an MD5 hash is expected. Again, the data must be in binary representation.

Perform digital signature operation on the data read from a file specified using the --input option. By default, the contents of the file are assumed to be the result of an MD5 hash operation. Note that pkcs15-crypt expects the data in binary representation, not ASCII.

The digital signature is stored, in binary representation, in the file specified by the --output option. If this option is not given, the signature is printed on standard output, displaying non-printable characters using their hex notation xNN (see also --raw).

When signing with ECDSA key this option indicates to pkcs15-crypt the signature output format. Possible values are 'rs'(default) -- two concatenated integers (PKCS#11), 'sequence' or 'openssl' -- DER encoded sequence of two integers (OpenSSL).

Causes pkcs15-crypt to wait for a card insertion.

Causes pkcs15-crypt to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Print the OpenSC package release version.

Tells pkcs15-init to load the specified card profile option. You will rarely need this option.

This tells pkcs15-init to create a PKCS #15 structure on the card, and initialize any PINs.

Specify the serial number of the card.

This will erase the card prior to creating the PKCS #15 structure, if the card supports it. If the card does not support erasing, pkcs15-init will fail.

This will erase the application with the application identifier AID.

Tells the card to generate new key and store it on the card. keyspec consists of an algorithm name (currently, the only supported name is RSA), optionally followed by a slash and the length of the key in bits. It is a good idea to specify the key ID along with this command, using the id option, otherwise an intrinsic ID will be calculated from the key material. Look the description of the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details about the algorithm used to calculate intrinsic ID. For the multi-application cards the target PKCS#15 application can be specified by the hexadecimal AID value of the aid option.

Tells pkcs15-init to read additional options from filename. The file is supposed to contain one long option per line, without the leading dashes, for instance:

pin		1234
puk		87654321
							

You can specify --options-file several times.

These options can be used to specify PIN/PUK values on the command line. If set to env:VARIABLE, the value of the environment variable VARIABLE is used. Note that on most operation systems, any user can display the command line of any process on the system using utilities such as ps(1). Therefore, you should use these options only on a secured system, or in an options file specified with --options-file.

Do not install a SO PIN, and do not prompt for it.

Tells pkcs15-init to load the specified general profile. Currently, the only application profile defined is pkcs15, but you can write your own profiles and specify them using this option.

The profile name can be combined with one or more profile options, which slightly modify the profile's behavior. For instance, the default OpenSC profile supports the openpin option, which installs a single PIN during card initialization. This PIN is then used both as the SO PIN as well as the user PIN for all keys stored on the card.

Profile name and options are separated by a + character, as in pkcs15+onepin.

keyspec describes the algorithm and length of the key to be created or downloaded, such as aes/256. This will create a 256 bit AES key.

Tells pkcs15-init to store the certificate given in filename on the card, creating a certificate object with the ID specified via the --id option. Without supplied ID an intrinsic ID will be calculated from the certificate's public key. Look the description of the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details about the algorithm used to calculate intrinsic ID. The file is assumed to contain the PEM encoded certificate. For the multi-application cards the target application can be specified by the hexadecimal AID value of the aid option.

Store a new PIN/PUK on the card.

Tells pkcs15-init to download the specified public key to the card and create a public key object with the key ID specified via the --id. By default, the file is assumed to contain the key in PEM format. Alternative formats can be specified using --format.

Tells pkcs15-init to download the specified private key to the card. This command will also create a public key object containing the public key portion. By default, the file is assumed to contain the key in PEM format. Alternative formats can be specified using --format. It is a good idea to specify the key ID along with this command, using the --id option, otherwise an intrinsic ID will be calculated from the key material. Look the description of the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details about the algorithm used to calculate intrinsic ID. For the multi-application cards the target PKCS#15 application can be specified by the hexadecimal AID value of the aid option.

Tells pkcs15-init to download the specified secret key to the card. The file is assumed to contain the raw key. They key type should be specified with --secret-key-algorithm option.

You may additionally specify the key ID along with this command, using the --id option, otherwise a random ID is generated. For the multi-application cards the target PKCS#15 application can be specified by the hexadecimal AID value of the aid option.

Store a data object.

Tells pkcs15-init to update the certificate object with the ID specified via the --id option with the certificate in filename. The file is assumed to contain a PEM encoded certificate.

Pay extra attention when updating mail decryption certificates, as missing certificates can render e-mail messages unreadable!

Tells pkcs15-init to delete the specified object. arg is comma-separated list containing any of privkey, pubkey, secrkey, cert, chain or data.

When data is specified, an ---application-id must also be specified, in the other cases an --id must also be specified

When chain is specified, the certificate chain starting with the cert with specified ID will be deleted, until there's a CA certificate that certifies another cert on the card

Tells pkcs15-init to change the specified attribute. arg is either privkey, pubkey, secrkey, cert or data. You also have to specify the --id of the object. For now, you can only change the --label, e.g:

								pkcs15-init -A cert --id 45 -a 1 --label Jim
							

Tells pkcs15-init to not ask for the transport keys and use default keys, as known by the card driver.

Tells pkcs15-init to perform a card specific sanity check and possibly update procedure.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Causes pkcs15-init to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Causes pkcs15-init to wait for a card insertion.

Do not prompt the user; if no PINs supplied, pinpad will be used.

Specify ID of PUK to use/create

Specify label of PUK

Specify public key label (use with --generate-key)

Specify user cert label (use with --store-private-key)

Specify application name of data object (use with --store-data-object)

Specify AID of the on-card PKCS#15 application to be binded to (in hexadecimal form)

Output public portion of generated key to file

Specify passphrase for unlocking secret key

Mark certificate as a CA certificate

Specifies the X.509 key usage. arg is comma-separated list containing any of digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign. Abbreviated names are allowed if unique (e.g. dataEnc).

The alias sign is equivalent to digitalSignature,keyCertSign,cRLSign

The alias decrypt is equivalent to keyEncipherment,dataEncipherment

Finish initialization phase of the smart card

Update 'lastUpdate' attribute of tokenInfo

When storing PKCS#12 ignore CA certificates

Store or update existing certificate

Private key stored as an extractable key

Insecure mode: do not require a PIN for private key

For a new key specify GUID for a MD container

Display help message

Print the OpenSC package release version.

Specify in a hexadecimal form the AID of the on-card PKCS#15 application to bind to.

Specifies the auth id of the PIN to use for the operation. This is useful with the --change-pin operation.

Changes a PIN or PUK stored on the token. User authentication is required for this operation.

List all card objects.

List card objects.

List the on-card PKCS#15 applications.

List all certificates stored on the token.

List all data objects stored on the token. For some cards the PKCS#15 attributes of the private data objects are protected for reading and need the authentication with the User PIN. In such a case the --verify-pin option has to be used.

List all private keys stored on the token. General information about each private key is listed (eg. key name, id and algorithm). Actual private key values are not displayed. For some cards the PKCS#15 attributes of the private keys are protected for reading and need the authentication with the User PIN. In such a case the --verify-pin option has to be used.

List all secret (symmetric) keys stored on the token. General information about each secret key is listed (eg. key name, id and algorithm). Actual secret key values are not displayed. For some cards the PKCS#15 attributes of the private keys are protected for reading and need the authentication with the User PIN. In such a case the --verify-pin option has to be used.

List all PINs stored on the token. General information about each PIN is listed (eg. PIN name). Actual PIN values are not shown.

List all public keys stored on the token, including key name, id, algorithm and length information.

Output lists in compact format.

Disables token data caching.

Removes the user's cache directory. On Windows, this option additionally removes the system's caching directory (requires administrator privileges).

Removes the user's cache directory. On Windows, this option additionally removes the system's caching directory (requires administrator privileges).

Specifies where key output should be written. If filename already exists, it will be overwritten. If this option is not given, keys will be printed to standard output.

Changes how --read-data-object prints the content to standard output. By default, when --raw is not given, it will print the content in hex notation. If --raw is set, it will print the binary data directly. This does not affect the output that is written to the file specified by the --output option. Data written to a file will always be in raw binary.

Reads the certificate with the given id.

Reads data object with OID, applicationName or label. The content is printed to standard output in hex notation, unless the --raw option is given. If an output file is given with the --output option, the content is additionally written to the file. Output to the file is always written in raw binary mode, the --raw only affects standard output behavior.

Reads the public key with id id, allowing the user to extract and store or use the public key.

Reads the public key with id id, writing the output in format suitable for $HOME/.ssh/authorized_keys.

The key label, if any will be shown in the 'Comment' field.

When used in conjunction with option --read-ssh-key the output format of the public key follows rfc4716.

Test if the card needs a security update

Update the card with a security update

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Unblocks a PIN stored on the token. Knowledge of the Pin Unblock Key (PUK) is required for this operation.

Causes pkcs15-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Specify PIN

Specify Unblock PIN

Specify New PIN (when changing or unblocking)

Verify PIN after card binding and before issuing any command (without 'auth-id' the first non-SO, non-Unblock PIN will be verified)

Equivalent to --verify-pin with additional session PIN generation

Causes pkcs15-tool to wait for a card insertion.

Do not prompt the user; if no PINs supplied, pinpad will be used.

Initialize token, removing all existing keys, certificates and files.

Use --so-pin to define SO-PIN for first initialization or to verify in subsequent initializations.

Use --pin to define the initial user pin value.

Use --pin-retry to define the maximum number of wrong user PIN presentations.

Use with --dkek-shares to enable key wrap / unwrap.

Use with --label to define a token label

Create a DKEK share encrypted under a password and save it to the file given as parameter.

Use --password to provide a password for encryption rather than prompting for one.

Use --pwd-shares-threshold and --pwd-shares-total to randomly generate a password and split is using a (t, n) threshold scheme.

Prompt for user password, read and decrypt DKEK share and import into SmartCard-HSM.

Use --password to provide a password for decryption rather than prompting for one.

Use --pwd-shares-total to specify the number of shares that should be entered to reconstruct the password.

Wrap the key referenced in --key-reference and save with it together with the key description and certificate to the given file.

Use --pin to provide the user PIN on the command line.

Read wrapped key, description and certificate from file and import into SmartCard-HSM under the key reference given in --key-reference.

Determine the key reference using the output of pkcs15-tool -D.

Use --pin to provide a user PIN on the command line.

Use --force to remove any key, key description or certificate in the way.

Define the number of DKEK shares to use for recreating the DKEK.

This is an optional parameter. Using --initialize without --dkek-shares will disable the DKEK completely.

Using --dkek-shares with 0 shares requests the SmartCard-HSM to generate a random DKEK. Keys wrapped with this DKEK can only be unwrapped in the same SmartCard-HSM.

After using --initialize with one or more DKEK shares, the SmartCard-HSM will remain in the initialized state until all DKEK shares have been imported. During this phase no new keys can be generated or imported.

Define SO-PIN for initialization. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

Define user PIN for initialization, wrap or unwrap operation. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

Define number of PIN retries for user PIN during initialization. Default is 3.

Define password for DKEK share encryption. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

Define threshold for number of password shares required for reconstruction.

Define number of password shares.

Force removal of existing key, description and certificate.

Define the token label to be used in --initialize.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Wait for a card to be inserted

Causes sc-hsm-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Changes a PIN stored on the card. User authentication is required for this operation.

Write certificate file file in PEM format to the card. User authentication is required for this operation.

Finalize the card. Once finalized the default key is invalidated, so PIN and PUK cannot be changed anymore without user authentication.

Warning, un-finalized cards are insecure because the PIN can be changed without user authentication (knowledge of default key is enough).

Generate a private key on the card. The card must not have been finalized and a PIN must be installed (i.e. the file for the PIN must have been created, see option -i). By default the key length is 1536 bits. User authentication is required for this operation.

Print help message on screen.

Install PIN file in on the card. You must provide a PIN value with -x.

Change the length of private key. Use with -g.

Overwrite the key if there is already a key on the card.

Set value of PIN. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

set value of PUK (or value of new PIN for change PIN command see -n). If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

Read the file filename from the card. The file is written on disk with name filename. User authentication is required for this operation.

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

Unblocks a PIN stored on the card. Knowledge of the PIN Unblock Key (PUK) is required for this operation.

Causes westcos-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Wait for a card to be inserted.

Put the file with name filename from disk to card. On the card the file is written in filename. User authentication is required for this operation.