Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
YUBICO-PIV-TOOL(1)		 User Commands		    YUBICO-PIV-TOOL(1)

NAME
       yubico-piv-tool - Tool for managing Personal Identity Verification cre-
       dentials	on Yubikeys

SYNOPSIS
       yubico-piv-tool [OPTION]...

DESCRIPTION
       -h, --help
	      Print help and exit

       --full-help
	      Print help, including hidden options, and	exit

       -V, --version
	      Print version and	exit

       -v, --verbose[=INT]
	      Print more information  (default=`0')

       -r, --reader=STRING
	      Only use a matching reader  (default=`Yubikey')

       -k, --key[=STRING]
	      Management  key  to  use,	 if  no	value is specified key will be
	      asked			     for			  (de-
	      fault=`010203040506070801020304050607080102030405060708')

       -a, --action=ENUM
	      Action   to   take    (possible	values="version",  "generate",
	      "set-mgm-key",  "reset",	 "pin-retries",	  "import-key",	  "im-
	      port-certificate",   "set-chuid",	 "request-certificate",	 "ver-
	      ify-pin",	  "verify-bio",	  "change-pin",	  "change-puk",	  "un-
	      block-pin",     "selfsign-certificate",	 "delete-certificate",
	      "read-certificate", "status", "test-signature", "test-decipher",
	      "list-readers", "set-ccc", "write-object",  "read-object",  "at-
	      test", "move-key", "delete-key")

	      Multiple	actions	 may  be given at once and will	be executed in
	      order for	example	--action=verify-pin  --action=request-certifi-
	      cate

       -s, --slot=ENUM
	      What  key	slot to	operate	on  (possible values="9a", "9c", "9d",
	      "9e", "82", "83",	"84", "85",  "86",  "87",  "88",  "89",	 "8a",
	      "8b",  "8c",  "8d",  "8e",  "8f",	 "90", "91", "92", "93", "94",
	      "95", "f9")

	      9a is for	PIV Authentication 9c is for  Digital  Signature  (PIN
	      always  checked) 9d is for Key Management	9e is for Card Authen-
	      tication (PIN never checked) 82-95 is for	Retired	Key Management
	      f9 is for	Attestation

       --to-slot=ENUM
	      What slot	to move	an existing  key  to   (possible  values="9a",
	      "9c",  "9d",  "9e",  "82",  "83",	 "84", "85", "86", "87", "88",
	      "89", "8a", "8b",	"8c", "8d",  "8e",  "8f",  "90",  "91",	 "92",
	      "93", "94", "95",	"f9")

	      9a  is  for  PIV Authentication 9c is for	Digital	Signature (PIN
	      always checked) 9d is for	Key Management 9e is for Card  Authen-
	      tication (PIN never checked) 82-95 is for	Retired	Key Management
	      f9 is for	Attestation

       -A, --algorithm=ENUM
	      What  algorithm  to  use	(possible values="RSA1024", "RSA2048",
	      "RSA3072", "RSA4096", "ECCP256", "ECCP384", "ED25519",  "X25519"
	      default=`RSA2048')

       -H, --hash=ENUM
	      Hash  to	use for	signatures  (possible values="SHA1", "SHA256",
	      "SHA384",	"SHA512" default=`SHA256')

       -n, --new-key=STRING
	      New management key to use	for action set-mgm-key,	if omitted key
	      will be asked for

       --pin-retries=INT
	      Number of	retries	before the pin code is blocked

       --puk-retries=INT
	      Number of	retries	before the puk code is blocked

       -i, --input=STRING
	      Filename to use as input,	- for stdin  (default=`-')

       -o, --output=STRING
	      Filename to use as output, - for stdout (default=`-')

       -K, --key-format=ENUM
	      Format of	the key	being  read/written   (possible	 values="PEM",
	      "PKCS12",	"GZIP",	"DER", "SSH" default=`PEM')

       --compress
	      Compress	a  large  certificate  using  GZIP before import  (de-
	      fault=off)

       --global
	      Reset the	whole device over all applications (default=off)

       -p, --password=STRING
	      Password for decryption of private key file, if omitted password
	      will be asked for

       -S, --subject=STRING
	      The subject to use for certificate request

	      The    subject	must	be    written	 as:	/CN=host.exam-
	      ple.com/OU=test/O=example.com/

       --serial=INT
	      Serial number of the self-signed certificate

       --valid-days=INT
	      Time  (in	 days) until the self-signed certificate expires  (de-
	      fault=`365')

       -P, --pin=STRING
	      Pin/puk code for verification, if	omitted	pin/puk	will be	 asked
	      for

       -N, --new-pin=STRING
	      New  pin/puk code	for changing, if omitted pin/puk will be asked
	      for

       --pin-policy=ENUM
	      Set pin policy for action	generate or import-key.	  Only	avail-
	      able  on	YubiKey	 4 or newer  (possible values="never", "once",
	      "always",	"matchonce", "matchalways")

       --touch-policy=ENUM
	      Set touch	policy for action generate, import-key or set-mgm-key.
	      Only available on	YubiKey	4 or newer  (possible  values="never",
	      "always",	"cached")

       --id=INT
	      Id of object for write/read object

       -f, --format=ENUM
	      Format  of  data	for write/read object  (possible values="hex",
	      "base64",	"binary" default=`hex')

       --attestation
	      Add attestation cross-signature  (default=off)

       -m, --new-key-algo=ENUM
	      New management key  algorithm  to	 use  for  action  set-mgm-key
	      (possible	  values="TDES",   "AES128",  "AES192",	 "AES256"  de-
	      fault=`TDES')

       --scp11
	      Use encrypted communication as specified by Secure Channel  Pro-
	      tocol 11 (SCP11b)	 (default=off)

yubico-piv-tool	2.7.1		  April	2025		    YUBICO-PIV-TOOL(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=yubico-piv-tool&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help