p11tool is a program that is used to access tokens
and security modules that support the PKCS #11 API. It requires
individual PKCS #11 modules to be loaded either with the
--provider option, or by setting up the GnuTLS configuration
file for PKCS #11 as in Smart cards and HSMs.
p11tool help
Usage: p11tool [options]
Usage: p11tool --list-tokens
Usage: p11tool --list-all
Usage: p11tool --export 'pkcs11:...'
--export URL Export an object specified by a pkcs11
URL
--list-tokens List all available tokens
--list-mechanisms URL List all available mechanisms in token.
--list-all List all objects specified by a PKCS#11
URL
--list-all-certs List all certificates specified by a
PKCS#11 URL
--list-certs List certificates that have a private
key specified by a PKCS#11 URL
--list-privkeys List private keys specified by a
PKCS#11 URL
--list-trusted List certificates marked as trusted,
specified by a PKCS#11 URL
--initialize URL Initializes a PKCS11 token.
--write URL Writes loaded certificates, private or
secret keys to a PKCS11 token.
--delete URL Deletes objects matching the URL.
--label label Sets a label for the write operation.
--trusted Marks the certificate to be written as
trusted.
--private Marks the object to be written as
private (requires PIN).
--no-private Marks the object to be written as not
private.
--login Force login to token
--detailed-url Export detailed URLs.
--no-detailed-url Export less detailed URLs.
--secret-key HEX_KEY Provide a hex encoded secret key.
--load-privkey FILE Private key file to use.
--load-pubkey FILE Private key file to use.
--load-certificate FILE
Certificate file to use.
-8, --pkcs8 Use PKCS #8 format for private keys.
--inder Use DER format for input certificates
and private keys.
--inraw Use RAW/DER format for input
certificates and private keys.
--provider Library Specify the pkcs11 provider library
--outfile FILE Output file.
-d, --debug LEVEL specify the debug level. Default is 1.
-h, --help shows this help text
After being provided the available PKCS #11 modules, it can list all tokens available in your system, the objects on the tokens, and perform operations on them.
Some examples on how to use p11tool are illustrated in the following paragraphs.
$ p11tool --list-tokens
The following command will list all objects in a token. The --login
is required to show objects marked as private.
$ p11tool --login --list-all
To retrieve an object stored in the card use the following command. Note however that objects marked as sensitive (typically PKCS #11 private keys) are not allowed to be extracted from the token.
$ p11tool --login --export [OBJECT URL]
To copy an object, such as a certificate or private key to a token use the following command.
$ p11tool --login --write [TOKEN URL] \
--load-certificate cert.pem --label "my_cert"