Executes the given program with data in environment variables.

Print help message on screen.

Prints all data fields from the card, like validity period, document number etc.

Use the given reader. The default is the first reader with a card.

Prints key usage statistics (only for Estonian ID card).

Prints the version of the utility and exits.

Wait for a card to be inserted

Use the card driver specified by name. The default is to auto-detect the correct card driver.

Format the card or token.

Display information about the card or token.

Specify the reader number number to use. The default is reader 0.

Causes cardos-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Causes cardos-tool to wait for the token to be inserted into reader.

Specifies the DF to operate in

Creates new RSA key files for arg keys

Creates new PIN file for CHVid

Specifies the RSA exponent, exp, to use in key generation. The default value is 3.

Generate a new RSA key pair

Specifies the key number to operate on. The default is key number 1.

Lists all keys stored in a public key file

Specifies the modulus length to use in key generation. The default value is 1024.

Specifies the private key file id, id, to use

Specifies the public key file id, id, to use

Reads a public key from the card, allowing the user to extract and store or use the public key

Forces cryptoflex-tool to use reader number num for operations. The default is to use reader number 0, the first reader in the system.

Causes cryptoflex-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Verifies CHV1 before issuing commands

Displays a short help message.

Specifies the current value of the global PIN.

Specifies the current value of the global PUK.

Specifies the current value of the local PIN0 (aka local PIN).

Specifies the current value of the local PIN1 (aka local PUK).

Use smart card in specified reader. Default is reader 0.

Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity.

This command will read one of your cards certificates (as specified by number) and save this certificate into file filename in PEM-format. Certificates on a NetKey E4 card are readable without a pin, so you don't have to specify one.

This command will read the first PEM-encoded certificate from file filename and store this into your smart cards certificate file number. Some of your smart cards certificate files might be readonly, so this will not work with all values of number. If a certificate file is writable you must specify a pin in order to change it. If you try to use this command without specifying a pin, netkey-tool will tell you which one is needed.

This changes the value of the specified pin to the given new value. You must specify either the current value of the pin or another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.

This command can be executed only if the global PIN of your card is in nullpin-state. There's no way to return back to nullpin-state once you have changed your global PIN. You don't need a pin to execute the nullpin-command. After a succesfull nullpin-command netkey-tool will display your cards initial PUK-value.

This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.

Execute the given program with data in environment variables.

Print help message on screen.

Print values in raw format, as they are stored on the card.

Print values in pretty format.

Show card holder information.

Use the given reader. The default is the first reader with a card.

Verify PIN (CHV1, CHV2 or CHV3).

The PIN text to verify. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

Generate key. Specify key ID (1, 2 or 3) to generate.

Length (default 2048 bit) of the key to be generated.

Print the version of the utility and exit.

Verbose operation. Use several times to enable debug output.

Wait for a card to be inserted.

Specify the reader number number to use. The default is reader 0.

Get list of the on-card applications.

Select hex-aid before processing.

List SDOs of the given sdo-type, present in default or selected application.

Causes cardos-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Causes iasecc-tool to wait for the token to be inserted into reader.

Print the OpenSC package release version.

Print the Answer To Reset (ATR) of the card. Output is in hex byte format

Use the given card driver. The default is auto-detected.

Print information about OpenSC, such as version and enabled components.

List all installed card drivers.

Recursively list all files stored on card.

List all configured readers.

Print the name of the inserted card (driver).

Use the given reader number. The default is 0, the first reader in the system.

Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF....

Print the card serial number (normally the ICCSN). Output is in hex byte format

Causes opensc-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Wait for a card to be inserted.

Use the given card driver. The default is auto-detected.

Select the file referenced by the given path on startup. The default is the path to the standard master file, 3F00. If path is empty (e.g. opensc-explorer --mf ""), then no file is explicitly selected.

Use the given reader number. The default is 0, the first reader in the system.

Causes opensc-explorer to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Wait for a card to be inserted

Send a custom APDU command hex-data.

Parse and print the ASN.1 encoded content of the file specified by file-id.

Print the contents of the currently selected EF or the contents of a file specified by file-id or the short file id short-id.

Change to another DF specified by the argument passed. If the argument given is .., then move up one level in the file system hierarchy. If it is file-id, which must be a DF directly beneath the current DF, then change to that DF. If it is an application identifier given as aid:DF-name, then jump to the MF of the application denoted by DF-name.

Change a PIN, where pin-ref is the PIN reference.

Examples:

Create a new EF. file-id specifies the id number and size is the size of the new file.

Set OpenSC debug level to level.

If level is omitted the current debug level will be shown.

Remove the EF or DF specified by file-id

Copy the internal card's 'tagged' data into the local file.

The local file is specified by output while the tag of the card's data is specified by hex-tag.

If output is omitted, the name of the output file will be derived from hex-tag.

Update internal card's 'tagged' data.

hex-tag is the tag of the card's data. input is the filename of the source file or the literal data presented as a sequence of hexadecimal values or " enclosed string.

Print the strings given.

Erase the card, if the card supports it.

Copy an EF to a local file. The local file is specified by output while the card file is specified by file-id.

If output is omitted, the name of the output file will be derived from the full card path to file-id.

Display attributes of a file specified by file-id. If file-id is not supplied, the attributes of the current file are printed.

List files in the current DF. If no pattern is given, then all files are listed. If one ore more patterns are given, only files matching at least one pattern are listed.

Find all files in the current DF. Files are found by selecting all file identifiers in the range from start-fid to end-fid (by default from 0000 to FFFF).

Find all tags of data objects in the current context. Tags are found by using GET DATA in the range from start-tag to end-tag (by default from 0000 to FFFF).

Create a DF. file-id specifies the id number and size is the size of the new file.

Copy a local file to the card. The local file is specified by input while the card file is specified by file-id.

Exit the program.

Generate random sequence of count bytes.

Remove the EF or DF specified by file-id

Unblock the PIN denoted by pin-ref using the PUK puk, and set potentially change its value to new pin.

PUK and PIN values can be a sequence of hexadecimal values, "-enclosed strings, empty (""), or absent. If they are absent, the values are read from the card reader's pin pad.

Examples:

Binary update of the file specified by file-id with the literal data data starting from offset specified by offs.

data can be supplied as a sequencer of the hex values or as a " enclosed string.

Update record specified by rec-nr of the file specified by file-id with the literal data data starting from offset specified by rec-offs.

data can be supplied as a sequence of the hex values or as a " enclosed string.

Present a PIN or key to the card, where key-type can be one of CHV, KEY, AUT or PRO. key-id is a number representing the key or PIN reference. key is the key or PIN to be verified, formatted as a colon-separated list of hex values or a " enclosed string.

If key is omitted, the exact action depends on the card reader's features: if the card readers supports PIN input via a pin pad, then the PIN will be verified using the card reader's pin pad. If the card reader does not support PIN input, then the PIN will be asked interactively.

Examples:

Calls the card's open or close Secure Messaging handler.

Print the card serial number derived from the CHUID object, if any. Output is in hex byte format.

Print the name of the inserted card (driver)

Authenticate to the card using a 2DES or 3DES key. The argument of the form

 {A|M}:ref:alg

is required, were A uses "EXTERNAL AUTHENTICATION" and M uses "MUTUAL AUTHENTICATION". ref is normally 9B, and alg is 03 for 3DES. The key is provided by the card vendor, and the environment variable PIV_EXT_AUTH_KEY must point to a text file containing the key in the format: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Generate a key pair on the card and output the public key. The argument of the form

ref:alg

is required, where ref is 9A, 9C, 9D or 9E and alg is 06, 07, 11 or 14 for RSA 1024, RSA 2048, ECC 256 or ECC 384 respectively.

Load an object onto the card. The ContainerID is as defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000

Load a certificate onto the card. ref is 9A, 9C, 9D or 9E

Load a certificate that has been gzipped onto the card. ref is 9A, 9C, 9D or 9E

Output file for any operation that produces output.

Input file for any operation that requires an input file.

Print properties of the key slots. Needs 'admin' authentication.

Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF.... This option may be repeated.

Use the given reader number. The default is 0, the first reader in the system.

Use the given card driver. The default is auto-detected.

Wait for a card to be inserted

Causes piv-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Extract information from path (DER-encoded certificate file) and create the corresponding attributes when writing an object to the token. Example: the certificate subject name is used to create the CKA_SUBJECT attribute.

Change the user PIN on the token

Unlock User PIN (without --login unlock in logged in session; otherwise --login-type has to be 'context-specific').

Hash some data.

Specify the id of the object to operate on.

Initializes the user PIN. This option differs from --change-pin in that it sets the user PIN for the first time. Once set, the user PIN can be changed using --change-pin.

Initialize a token: set the token label as well as a Security Officer PIN (the label must be specified using --label).

Specify the path to a file for input.

Generate a new key pair (public and private pair.)

Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1.

Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in pubkey).

Specify 'decrypt' key usage flag (RSA only, set DECRYPT privkey, ENCRYPT in pubkey).

Specify 'derive' key usage flag (EC only).

Specify the name of the object to operate on (or the token label when --init-token is used).

Display a list of mechanisms supported by the token.

Display a list of objects.

Display a list of available slots on the token.

List slots with tokens.

Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line.

Specify login type ('so', 'user', 'context-specific'; default:'user').

Use the specified mechanism for token operations. See -M for a list of mechanisms supported by your token.

Specify a PKCS#11 module (or library) to load.

Test a Mozilla-like keypair generation and certificate request. Specify the path to the certificate file.

Specify the path to a file for output.

Use the given pin for token operations. If set to env:VARIABLE, the value of the environment variable VARIABLE is used. WARNING: Be careful using this option as other users may be able to read the command line from the system or if it is embedded in a script. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

This option will also set the --login option.

Supply User PUK on the command line.

Supply new User PIN on the command line.

Set the CKA_ID of the object.

Display general token information.

Sign some data.

Decrypt some data.

Derive a secret key using another key and some data.

Specify the id of the slot to use.

Specify the description of the slot to use.

Specify the index of the slot to use.

Specify the label of token. Will be used the first slot, that has the inserted token with this label.

Use the given pin as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc). If set to env:VARIABLE, the value of the environment variable VARIABLE is used. The same warning as --pin also applies here.

Perform some tests on the token. This option is most useful when used with either --login or --pin.

Test hotplug capabilities (C_GetSlotList + C_WaitForSlotEvent).

Set the CKA_PRIVATE attribute (object is only viewable after a login).

Test EC (best used with the --login or --pin option).

Test forking and calling C_Initialize() in the child.

Specify the type of object to operate on. Examples are cert, privkey and pubkey.

Cause pkcs11-tool to be more verbose.

NB! This does not affect OpenSC debugging level! To set OpenSC PKCS#11 module into debug mode, set the OPENSC_DEBUG environment variable to a non-zero number.

Get object's CKA_VALUE attribute (use with --type).

Delete an object.

Specify the application label of the data object (use with --type data).

Specify the application ID of the data object (use with --type data).

Specify the issuer in hexadecimal format (use with --type cert).

Specify the subject in hexadecimal format (use with --type cert/privkey/pubkey).

Format for ECDSA signature: 'rs' (default), 'sequence', 'openssl'.

Write a key or certificate object to the token. path points to the DER-encoded certificate or key file.

Print the OpenSC package release version.

Specify the AID of the on-card PKCS#15 application to bind to. The aid must be in hexadecimal form.

Decrypt the contents of the file specified by the --input option. The result of the decryption operation is written to the file specified by the --output option. If this option is not given, the decrypted data is printed to standard output, displaying non-printable characters using their hex notation xNN (see also --raw).

Specifies the input file to use. Defaults to stdin if not specified.

Selects the ID of the key to use.

Any output will be sent to the specified file. Defaults to stdout if not specified.

When the cryptographic operation requires a PIN to access the key, pkcs15-crypt will prompt the user for the PIN on the terminal. Using this option allows you to specify the PIN on the command line.

Note that on most operating systems, the command line of a process can be displayed by any user using the ps(1) command. It is therefore a security risk to specify secret information such as PINs on the command line. If you specify '-' as PIN, it will be read from STDIN.

By default, pkcs15-crypt assumes that input data has been padded to the correct length (i.e. when computing an RSA signature using a 1024 bit key, the input must be padded to 128 bytes to match the modulus length). When giving the --pkcs1 option, however, pkcs15-crypt will perform the required padding using the algorithm outlined in the PKCS #1 standard version 1.5.

Outputs raw 8 bit data.

Selects the N-th smart card reader configured by the system. If unspecified, pkcs15-crypt will use the first reader found.

This option tells pkcs15-crypt that the input file is the result of an SHA1 hash operation, rather than an MD5 hash. Again, the data must be in binary representation.

Perform digital signature operation on the data read from a file specified using the --input option. By default, the contents of the file are assumed to be the result of an MD5 hash operation. Note that pkcs15-crypt expects the data in binary representation, not ASCII.

The digital signature is stored, in binary representation, in the file specified by the --output option. If this option is not given, the signature is printed on standard output, displaying non-printable characters using their hex notation xNN (see also --raw).

When signing with ECDSA key this option indicates to pkcs15-crypt the signature output format. Possible values are 'rs'(default) -- two concatanated integers (PKCS#11), 'sequence' or 'openssl' -- DER encoded sequence of two integeres (OpenSSL).

Causes pkcs15-crypt to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Print the OpenSC package release version.

Specify in a hexadecimal form the AID of the on-card PKCS#15 application to bind to.

Specifies the auth id of the PIN to use for the operation. This is useful with the --change-pin operation.

Changes a PIN or PUK stored on the token. User authentication is required for this operation.

Dump card objects.

Cache PKCS #15 token data to the local filesystem. Subsequent operations are performed on the cached data where possible. If the cache becomes out-of-sync with the token state (eg. new key is generated and stored on the token), the cache should be updated or operations may show stale results.

List the on-card PKCS#15 applications

Lists all certificates stored on the token.

Lists all data objects stored on the token. For some cards the PKCS#15 attributes of the private data objects are protected for reading and need the authentication with the User PIN. In such a case the --verify-pin option has to be used.

Lists all private keys stored on the token. General information about each private key is listed (eg. key name, id and algorithm). Actual private key values are not displayed. For some cards the PKCS#15 attributes of the private keys are protected for reading and need the authentication with the User PIN. In such a case the --verify-pin option has to be used.

Lists all PINs stored on the token. General information about each PIN is listed (eg. PIN name). Actual PIN values are not shown.

Lists all public keys stored on the token, including key name, id, algorithm and length information.

Disables token data caching.

Specifies where key output should be written. If filename already exists, it will be overwritten. If this option is not given, keys will be printed to standard output.

Changes how --read-data-object prints the content to standard output. By default, when --raw is not given, it will print the content in hex notation. If --raw is set, it will print the binary data directly. This does not affect the output that is written to the file specified by the --output option. Data written to a file will always be in raw binary.

Reads the certificate with the given id.

Reads data object with OID, applicationName or label. The content is printed to standard output in hex notation, unless the --raw option is given. If an output file is given with the --output option, the content is additionally written to the file. Output to the file is always written in raw binary mode, the --raw only affects standard output behavior.

Reads the public key with id id, allowing the user to extract and store or use the public key.

Reads the public key with id id, writing the output in format suitable for $HOME/.ssh/authorized_keys.

The key label, if any will be shown in the 'Comment' field.

When used in conjunction with option --read-ssh-key the output format of the public key follows rfc4716.

Forces pkcs15-tool to use reader number num for operations. The default is to use reader number 0, the first reader in the system.

Unblocks a PIN stored on the token. Knowledge of the Pin Unblock Key (PUK) is required for this operation.

Causes pkcs15-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Verify PIN after card binding and before issuing any command (without 'auth-id' the first non-SO, non-Unblock PIN will be verified)

Print the OpenSC package release version.

Tells pkcs15-init to load the specified card profile option. You will rarely need this option.

This tells pkcs15-init to create a PKCS #15 structure on the card, and initialize any PINs.

This will erase the card prior to creating the PKCS #15 structure, if the card supports it. If the card does not support erasing, pkcs15-init will fail.

Tells the card to generate new key and store it on the card. keyspec consists of an algorithm name (currently, the only supported name is RSA), optionally followed by a slash and the length of the key in bits. It is a good idea to specify the key ID along with this command, using the id option, otherwise an intrinsic ID will be calculated from the key material. Look the description of the 'pkcs15-id-style' attribut in the 'pkcs15.profile' for the details about the algorithm used to calculate intrinsic ID. For the multi-application cards the target PKCS#15 application can be specified by the hexadecimal AID value of the aid option.

Tells pkcs15-init to read additional options from filename. The file is supposed to contain one long option per line, without the leading dashes, for instance:

	pin		frank
	puk		zappa

You can specify --options-file several times.

These options can be used to specify PIN/PUK values on the command line. If set to env:VARIABLE, the value of the environment variable VARIABLE is used. Note that on most operation systems, any user can display the command line of any process on the system using utilities such as ps(1). Therefore, you should use these options only on a secured system, or in an options file specified with --options-file.

Tells pkcs15-init to load the specified general profile. Currently, the only application profile defined is pkcs15, but you can write your own profiles and specify them using this option.

The profile name can be combined with one or more profile options, which slightly modify the profile's behavior. For instance, the default OpenSC profile supports the openpin option, which installs a single PIN during card initialization. This PIN is then used both as the SO PIN as well as the user PIN for all keys stored on the card.

Profile name and options are separated by a + character, as in pkcs15+onepin.

Tells pkcs15-init to store the certificate given in filename on the card, creating a certificate object with the ID specified via the --id option. Without supplied ID an intrisic ID will be calculated from the certificate's public key. Look the description of the 'pkcs15-id-style' attribut in the 'pkcs15.profile' for the details about the algorithm used to calculate intrinsic ID. The file is assumed to contain the PEM encoded certificate. For the multi-application cards the target application can be specified by the hexadecimal AID value of the aid option.

Tells pkcs15-init to download the specified public key to the card and create a public key object with the key ID specified via the --id. By default, the file is assumed to contain the key in PEM format. Alternative formats can be specified using --format.

Tells pkcs15-init to download the specified private key to the card. This command will also create a public key object containing the public key portion. By default, the file is assumed to contain the key in PEM format. Alternative formats can be specified using --format. It is a good idea to specify the key ID along with this command, using the --id option, otherwise an intrinsic ID will be calculated from the key material. Look the description of the 'pkcs15-id-style' attribut in the 'pkcs15.profile' for the details about the algorithm used to calculate intrinsic ID. For the multi-application cards the target PKCS#15 application can be specified by the hexadecimal AID value of the aid option.

Tells pkcs15-init to update the certificate object with the ID specified via the --id option with the certificate in filename. The file is assumed to contain a PEM encoded certificate.

Pay extra attention when updating mail decryption certificates, as missing certificates can render e-mail messages unreadable!

Tells pkcs15-init to not ask for the transport keys and use default keys, as known by the card driver.

Causes pkcs15-init to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Changes a PIN stored on the card. User authentication is required for this operation.

Write certificate file file in PEM format to the card. User authentication is required for this operation.

Finalize the card. Once finalized the default key is invalidated, so PIN and PUK cannot be changed anymore without user authentication.

Warning, un-finalized are insecure because PIN can be changed without user authentication (knowledge of default key is enough).

Generate a private key on the card. The card must not have been finalized and a PIN must be installed (ie. the file for ithe PIN must havei been created, see option -i). By default the key length is 1536 bits. User authentication is required for this operation.

Print help message on screen.

Install PIN file in on the card. You must provide a PIN value with -x.

Change the length of private key. Use with -g.

Overwrite the key if there is already a key on the card.

Set value of PIN. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

set value of PUK (or value of new PIN for change PIN command see -n). If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

Read the file path from the card. The file is written on disk with name path. User authentication is required for this operation.

Use the given reader. The default is the first reader with a card.

Unblocks a PIN stored on the card. Knowledge of the PIN Unblock Key (PUK) is required for this operation.

Causes westcos-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Wait for a card to be inserted.

Put the file with name path from disk to card. On the card the file is written in path. User authentication is required for this operation.