'\" t
.TH "SYSTEMD\-KEYUTIL" "1" "" "systemd 257.1" "systemd-keyutil"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
systemd-keyutil \- Perform various operations on private keys and X\&.509 certificates
.SH "SYNOPSIS"
.HP \w'\fBsystemd\-keyutil\fR\ 'u
\fBsystemd\-keyutil\fR [OPTIONS...] {COMMAND}
.SH "DESCRIPTION"
.PP
\fBsystemd\-keyutil\fR
can be used to perform various operations on private keys and X\&.509 certificates\&.
.SH "COMMANDS"
.PP
\fBvalidate\fR
.RS 4
Checks that we can load the private key and certificate specified with
\fB\-\-private\-key=\fR
and
\fB\-\-certificate=\fR
respectively\&.
.sp
As a side effect, if the private key is loaded from a PIN\-protected hardware token, this command can be used to cache the PIN in the kernel keyring\&. The
\fI$SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC\fR
and
\fI$SYSTEMD_ASK_PASSWORD_KEYRING_TYPE\fR
environment variables can be used to control how long and in which kernel keyring the PIN is cached\&.
.sp
Added in version 257\&.
.RE
.PP
\fBpublic\fR
.RS 4
This commands prints the public key in PEM format extracted from either the certificate given with
\fB\-\-certificate=\fR
or the private key given with
\fB\-\-private\-key=\fR\&.
.sp
Added in version 257\&.
.RE
.SH "OPTIONS"
.PP
The following options are understood:
.PP
\fB\-\-private\-key=\fR\fB\fIPATH/URI\fR\fR, \fB\-\-private\-key\-source=\fR\fB\fITYPE\fR\fR\fB[:\fR\fB\fINAME\fR\fR\fB]\fR, \fB\-\-certificate=\fR\fB\fIPATH\fR\fR, \fB\-\-certificate\-source=\fR\fB\fITYPE\fR\fR\fB[:\fR\fB\fINAME\fR\fR\fB]\fR
.RS 4
Set the private key and certificate to use\&. The
\fB\-\-certificate=\fR
option takes a path to a PEM encoded X\&.509 certificate or a URI that\*(Aqs passed to the OpenSSL provider configured with
\fB\-\-certificate\-source\fR\&. The
\fB\-\-certificate\-source\fR
takes one of
"file"
or
"provider", with the latter being followed by a specific provider identifier, separated with a colon, e\&.g\&.
"provider:pkcs11"\&. The
\fB\-\-private\-key=\fR
option can take a path or a URI that will be passed to the OpenSSL engine or provider, as specified by
\fB\-\-private\-key\-source=\fR
as a
"type:name"
tuple, such as
"engine:pkcs11"\&.
.sp
Added in version 257\&.
.RE
.PP
\fB\-h\fR, \fB\-\-help\fR
.RS 4
Print a short help text and exit\&.
.RE
.PP
\fB\-\-version\fR
.RS 4
Print a short version string and exit\&.
.RE
.SH "SEE ALSO"
.PP
\fBsystemd-sbsign\fR(1), \fBsystemd-measure\fR(1)