Ubuntu Manpage: yubico-piv-tool - Tool for managing Personal Identity Verification credentials on Yubikeys

Provided by: yubico-piv-tool_2.7.1-1_amd64

NAME

       yubico-piv-tool - Tool for managing Personal Identity Verification credentials on Yubikeys

SYNOPSIS

       yubico-piv-tool [OPTION]...

DESCRIPTION

       -h, --help
              Print help and exit

       --full-help
              Print help, including hidden options, and exit

       -V, --version
              Print version and exit

       -v, --verbose[=INT]
              Print more information  (default=`0')

       -r, --reader=STRING
              Only use a matching reader  (default=`Yubikey')

       -k, --key[=STRING]
              Management    key    to    use,   if   no   value   is   specified   key   will   be   asked   for
              (default=`010203040506070801020304050607080102030405060708')

       -a, --action=ENUM
              Action to take  (possible values="version",  "generate",  "set-mgm-key",  "reset",  "pin-retries",
              "import-key",     "import-certificate",    "set-chuid",    "request-certificate",    "verify-pin",
              "verify-bio",     "change-pin",     "change-puk",      "unblock-pin",      "selfsign-certificate",
              "delete-certificate",    "read-certificate",    "status",    "test-signature",    "test-decipher",
              "list-readers", "set-ccc", "write-object", "read-object", "attest", "move-key", "delete-key")

              Multiple  actions  may  be  given  at  once  and  will  be   executed   in   order   for   example
              --action=verify-pin --action=request-certificate

       -s, --slot=ENUM
              What  key  slot  to  operate  on  (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85",
              "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92",  "93",  "94",  "95",
              "f9")

              9a  is  for  PIV  Authentication  9c  is  for Digital Signature (PIN always checked) 9d is for Key
              Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired  Key  Management
              f9 is for Attestation

       --to-slot=ENUM
              What  slot  to move an existing key to  (possible values="9a", "9c", "9d", "9e", "82", "83", "84",
              "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91",  "92",  "93",  "94",
              "95", "f9")

              9a  is  for  PIV  Authentication  9c  is  for Digital Signature (PIN always checked) 9d is for Key
              Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired  Key  Management
              f9 is for Attestation

       -A, --algorithm=ENUM
              What  algorithm  to  use   (possible values="RSA1024", "RSA2048", "RSA3072", "RSA4096", "ECCP256",
              "ECCP384", "ED25519", "X25519" default=`RSA2048')

       -H, --hash=ENUM
              Hash  to   use   for   signatures    (possible   values="SHA1",   "SHA256",   "SHA384",   "SHA512"
              default=`SHA256')

       -n, --new-key=STRING
              New management key to use for action set-mgm-key, if omitted key will be asked for

       --pin-retries=INT
              Number of retries before the pin code is blocked

       --puk-retries=INT
              Number of retries before the puk code is blocked

       -i, --input=STRING
              Filename to use as input, - for stdin  (default=`-')

       -o, --output=STRING
              Filename to use as output, - for stdout (default=`-')

       -K, --key-format=ENUM
              Format  of  the  key  being  read/written   (possible values="PEM", "PKCS12", "GZIP", "DER", "SSH"
              default=`PEM')

       --compress
              Compress a large certificate using GZIP before import  (default=off)

       --global
              Reset the whole device over all applications (default=off)

       -p, --password=STRING
              Password for decryption of private key file, if omitted password will be asked for

       -S, --subject=STRING
              The subject to use for certificate request

              The subject must be written as: /CN=host.example.com/OU=test/O=example.com/

       --serial=INT
              Serial number of the self-signed certificate

       --valid-days=INT
              Time (in days) until the self-signed certificate expires  (default=`365')

       -P, --pin=STRING
              Pin/puk code for verification, if omitted pin/puk will be asked for

       -N, --new-pin=STRING
              New pin/puk code for changing, if omitted pin/puk will be asked for

       --pin-policy=ENUM
              Set pin policy for action generate or import-key.  Only available on YubiKey 4 or newer  (possible
              values="never", "once", "always", "matchonce", "matchalways")

       --touch-policy=ENUM
              Set touch policy for action generate, import-key or set-mgm-key. Only available on  YubiKey  4  or
              newer (possible values="never", "always", "cached")

       --id=INT
              Id of object for write/read object

       -f, --format=ENUM
              Format of data for write/read object  (possible values="hex", "base64", "binary" default=`hex')

       --attestation
              Add attestation cross-signature  (default=off)

       -m, --new-key-algo=ENUM
              New  management  key  algorithm  to use for action set-mgm-key  (possible values="TDES", "AES128",
              "AES192", "AES256" default=`TDES')

       --scp11
              Use encrypted communication as specified by Secure Channel Protocol 11 (SCP11b)  (default=off)

yubico-piv-tool 2.7.1                             January 2025                                YUBICO-PIV-TOOL(1)