The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it.
--attr-from pathExtract information from path (DER-encoded certificate file) and create the corresponding attributes when writing an object to the token. Example: the certificate subject name is used to create the CKA_SUBJECT attribute.
--change-pin, -cChange the user PIN on the token
--hash, -hHash some data.
--id id, -d idSpecify the id of the object to operate on.
--init-pinInitializes the user PIN. This option differs from --change-pin in that it sets the user PIN for the first time. Once set, the user PIN can be changed using --change-pin.
--init-tokenInitialize a token: set the token label as well as a Security Officer PIN (the label must be specified using --label).
--input-file path, -i pathSpecify the path to a file for input.
--keypairgen, -kGenerate a new key pair (public and private pair.)
--label name, -a nameSpecify the name of the object to operate on (or the token label when --init-token is used).
--list-mechanisms, -MDisplay a list of mechanisms supported by the token.
--list-objects, -ODisplay a list of objects.
--list-slots, -LDisplay a list of available slots on the token.
--list-token-slots, -TList slots with tokens.
--login, -lAuthenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line.
--mechanism mechanism, -m mechanismUse the specified mechanism for token operations. See -M for a list of mechanisms supported by your token.
--module modSpecify a PKCS#11 module (or library) to load.
--moz-cert path, -z pathTest a Mozilla-like keypair generation and certificate request. Specify the path to the certificate file.
--output-file path, -o pathSpecify the path to a file for output.
--pin pin, -p pinUse the given pin for token operations. If set to env:VARIABLE, the value of the environment variable VARIABLE is used. WARNING: Be careful using this option as other users may be able to read the command line from the system or if it is embedded in a script. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.
This option will also set the --login option.
--set-id id, -e idSet the CKA_ID of the object.
--show-info, -IDisplay general token information.
--sign, -sSign some data.
--decrypt,Decrypt some data.
--slot idSpecify the id of the slot to use.
--slot-description descriptionSpecify the description of the slot to use.
--slot-index indexSpecify the index of the slot to use.
--token-label labelSpecify the label of token. Will be used the first slot, that has the inserted token with this label.
--so-pin pinUse the given pin as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc). If set to env:VARIABLE, the value of the environment variable VARIABLE is used. The same warning as --pin also applies here.
--test, -tPerform some tests on the token. This option is most useful when used with either --login or --pin.
--type type, -y typeSpecify the type of object to operate on. Examples are cert, privkey and pubkey.
--verbose, -vCause pkcs11-tool to be more verbose.
NB! This does not affect OpenSC debugging level! To set OpenSC PKCS#11 module into debug mode, set the OPENSC_DEBUG environment variable to a non-zero number.
--write-object id, -w pathWrite a key or certificate object to the token. path points to the DER-encoded certificate or key file.