.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.49.3. .TH YUBICO-PIV-TOOL "1" "September 2024" "yubico-piv-tool 2.6.1" "User Commands" .SH NAME yubico-piv-tool \- Tool for managing Personal Identity Verification credentials on Yubikeys .SH SYNOPSIS .B yubico-piv-tool [\fI\,OPTION\/\fR]... .SH DESCRIPTION .TP \fB\-h\fR, \fB\-\-help\fR Print help and exit .TP \fB\-\-full\-help\fR Print help, including hidden options, and exit .TP \fB\-V\fR, \fB\-\-version\fR Print version and exit .TP \fB\-v\fR, \fB\-\-verbose\fR[=\fI\,INT\/\fR] Print more information (default=`0') .TP \fB\-r\fR, \fB\-\-reader\fR=\fI\,STRING\/\fR Only use a matching reader (default=`Yubikey') .TP \fB\-k\fR, \fB\-\-key\fR[=\fI\,STRING\/\fR] Management key to use, if no value is specified key will be asked for (default=`010203040506070801020304050607080102030405060708') .TP \fB\-a\fR, \fB\-\-action\fR=\fI\,ENUM\/\fR Action to take (possible values="version", "generate", "set\-mgm\-key", "reset", "pin\-retries", "import\-key", "import\-certificate", "set\-chuid", "request\-certificate", "verify\-pin", "verify\-bio", "change\-pin", "change\-puk", "unblock\-pin", "selfsign\-certificate", "delete\-certificate", "read\-certificate", "status", "test\-signature", "test\-decipher", "list\-readers", "set\-ccc", "write\-object", "read\-object", "attest", "move\-key", "delete\-key") .IP Multiple actions may be given at once and will be executed in order for example \fB\-\-action\fR=\fI\,verify\-pin\/\fR \fB\-\-action\fR=\fI\,request\-certificate\/\fR .TP \fB\-s\fR, \fB\-\-slot\fR=\fI\,ENUM\/\fR What key slot to operate on (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9") .IP 9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82\-95 is for Retired Key Management f9 is for Attestation .TP \fB\-\-to\-slot\fR=\fI\,ENUM\/\fR What slot to move an existing key to (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9") .IP 9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82\-95 is for Retired Key Management f9 is for Attestation .TP \fB\-A\fR, \fB\-\-algorithm\fR=\fI\,ENUM\/\fR What algorithm to use (possible values="RSA1024", "RSA2048", "RSA3072", "RSA4096", "ECCP256", "ECCP384", "ED25519", "X25519" default=`RSA2048') .TP \fB\-H\fR, \fB\-\-hash\fR=\fI\,ENUM\/\fR Hash to use for signatures (possible values="SHA1", "SHA256", "SHA384", "SHA512" default=`SHA256') .TP \fB\-n\fR, \fB\-\-new\-key\fR=\fI\,STRING\/\fR New management key to use for action set\-mgm\-key, if omitted key will be asked for .TP \fB\-\-pin\-retries\fR=\fI\,INT\/\fR Number of retries before the pin code is blocked .TP \fB\-\-puk\-retries\fR=\fI\,INT\/\fR Number of retries before the puk code is blocked .TP \fB\-i\fR, \fB\-\-input\fR=\fI\,STRING\/\fR Filename to use as input, \- for stdin (default=`\-') .TP \fB\-o\fR, \fB\-\-output\fR=\fI\,STRING\/\fR Filename to use as output, \- for stdout (default=`\-') .TP \fB\-K\fR, \fB\-\-key\-format\fR=\fI\,ENUM\/\fR Format of the key being read/written (possible values="PEM", "PKCS12", "GZIP", "DER", "SSH" default=`PEM') .TP \fB\-\-compress\fR Compress a large certificate using GZIP before import (default=off) .TP \fB\-p\fR, \fB\-\-password\fR=\fI\,STRING\/\fR Password for decryption of private key file, if omitted password will be asked for .TP \fB\-S\fR, \fB\-\-subject\fR=\fI\,STRING\/\fR The subject to use for certificate request .IP The subject must be written as: /CN=host.example.com/OU=test/O=example.com/ .TP \fB\-\-serial\fR=\fI\,INT\/\fR Serial number of the self\-signed certificate .TP \fB\-\-valid\-days\fR=\fI\,INT\/\fR Time (in days) until the self\-signed certificate expires (default=`365') .TP \fB\-P\fR, \fB\-\-pin\fR=\fI\,STRING\/\fR Pin/puk code for verification, if omitted pin/puk will be asked for .TP \fB\-N\fR, \fB\-\-new\-pin\fR=\fI\,STRING\/\fR New pin/puk code for changing, if omitted pin/puk will be asked for .TP \fB\-\-pin\-policy\fR=\fI\,ENUM\/\fR Set pin policy for action generate or import\-key. Only available on YubiKey 4 or newer (possible values="never", "once", "always", "matchonce", "matchalways") .TP \fB\-\-touch\-policy\fR=\fI\,ENUM\/\fR Set touch policy for action generate, import\-key or set\-mgm\-key. Only available on YubiKey 4 or newer (possible values="never", "always", "cached") .TP \fB\-\-id\fR=\fI\,INT\/\fR Id of object for write/read object .TP \fB\-f\fR, \fB\-\-format\fR=\fI\,ENUM\/\fR Format of data for write/read object (possible values="hex", "base64", "binary" default=`hex') .TP \fB\-\-attestation\fR Add attestation cross\-signature (default=off) .TP \fB\-m\fR, \fB\-\-new\-key\-algo\fR=\fI\,ENUM\/\fR New management key algorithm to use for action set\-mgm\-key (possible values="TDES", "AES128", "AES192", "AES256" default=`TDES')