Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
YUBICO-PIV-TOOL(1)		 User Commands		    YUBICO-PIV-TOOL(1)

NAME
       yubico-piv-tool - Tool for managing Personal Identity Verification cre-
       dentials	on Yubikeys

SYNOPSIS
       yubico-piv-tool [OPTION]...

DESCRIPTION
       -h, --help
	      Print help and exit

       --full-help
	      Print help, including hidden options, and	exit

       -V, --version
	      Print version and	exit

       -v, --verbose[=INT]
	      Print more information  (default=`0')

       -r, --reader=STRING
	      Only use a matching reader  (default=`Yubikey')

       -k, --key[=STRING]
	      Management  key  to  use,	 if  no	value is specified key will be
	      asked			     for			  (de-
	      fault=`010203040506070801020304050607080102030405060708')

       -a, --action=ENUM
	      Action   to   take    (possible	values="version",  "generate",
	      "set-mgm-key",  "reset",	 "pin-retries",	  "import-key",	  "im-
	      port-certificate",   "set-chuid",	 "request-certificate",	 "ver-
	      ify-pin",	  "verify-bio",	  "change-pin",	  "change-puk",	  "un-
	      block-pin",     "selfsign-certificate",	 "delete-certificate",
	      "read-certificate",  "read-public-key",  "status",  "test-signa-
	      ture",  "test-decipher",	"list-readers",	 "set-ccc", "write-ob-
	      ject", "read-object", "attest", "move-key", "delete-key")

	      Multiple actions may be given at once and	will  be  executed  in
	      order  for example --action=verify-pin --action=request-certifi-
	      cate

       -s, --slot=ENUM
	      What key slot to operate on  (possible values="9a", "9c",	 "9d",
	      "9e",  "82",  "83",  "84",  "85",	 "86", "87", "88", "89", "8a",
	      "8b", "8c", "8d",	"8e", "8f",  "90",  "91",  "92",  "93",	 "94",
	      "95", "f9")

	      9a  is  for  PIV Authentication 9c is for	Digital	Signature (PIN
	      always checked) 9d is for	Key Management 9e is for Card  Authen-
	      tication (PIN never checked) 82-95 is for	Retired	Key Management
	      f9 is for	Attestation

       --to-slot=ENUM
	      What  slot  to  move  an existing	key to	(possible values="9a",
	      "9c", "9d", "9e",	"82", "83",  "84",  "85",  "86",  "87",	 "88",
	      "89",  "8a",  "8b",  "8c",  "8d",	 "8e", "8f", "90", "91", "92",
	      "93", "94", "95",	"f9")

	      9a is for	PIV Authentication 9c is for  Digital  Signature  (PIN
	      always  checked) 9d is for Key Management	9e is for Card Authen-
	      tication (PIN never checked) 82-95 is for	Retired	Key Management
	      f9 is for	Attestation

       -A, --algorithm=ENUM
	      What algorithm to	use   (possible	 values="RSA1024",  "RSA2048",
	      "RSA3072",  "RSA4096", "ECCP256",	"ECCP384", "ED25519", "X25519"
	      default=`RSA2048')

       -H, --hash=ENUM
	      Hash to use for signatures  (possible  values="SHA1",  "SHA256",
	      "SHA384",	"SHA512" default=`SHA256')

       -n, --new-key=STRING
	      New management key to use	for action set-mgm-key,	if omitted key
	      will be asked for

       --pin-retries=INT
	      Number of	retries	before the pin code is blocked

       --puk-retries=INT
	      Number of	retries	before the puk code is blocked

       -i, --input=STRING
	      Filename to use as input,	- for stdin  (default=`-')

       -o, --output=STRING
	      Filename to use as output, - for stdout (default=`-')

       -K, --key-format=ENUM
	      Format  of  the  key being read/written  (possible values="PEM",
	      "PKCS12",	"GZIP",	"DER", "SSH" default=`PEM')

       --compress
	      Compress a large certificate  using  GZIP	 before	 import	  (de-
	      fault=off)

       --global
	      Reset the	whole device over all applications (default=off)

       -p, --password=STRING
	      Password for decryption of private key file, if omitted password
	      will be asked for

       -S, --subject=STRING
	      The subject to use for certificate request

	      The    subject	must	be    written	 as:	/CN=host.exam-
	      ple.com/OU=test/O=example.com/

       --serial=INT
	      Serial number of the self-signed certificate

       --valid-days=INT
	      Time (in days) until the self-signed certificate	expires	  (de-
	      fault=`365')

       -P, --pin=STRING
	      Pin/puk  code for	verification, if omitted pin/puk will be asked
	      for

       -N, --new-pin=STRING
	      New pin/puk code for changing, if	omitted	pin/puk	will be	 asked
	      for

       --pin-policy=ENUM
	      Set  pin	policy for action generate or import-key.  Only	avail-
	      able on YubiKey 4	or newer   (possible  values="never",  "once",
	      "always",	"matchonce", "matchalways")

       --touch-policy=ENUM
	      Set touch	policy for action generate, import-key or set-mgm-key.
	      Only  available  on YubiKey 4 or newer (possible values="never",
	      "always",	"cached")

       --id=INT
	      Id of object for write/read object

       -f, --format=ENUM
	      Format of	data for write/read  object   (possible	 values="hex",
	      "base64",	"binary" default=`hex')

       --attestation
	      Add attestation cross-signature  (default=off)

       -m, --new-key-algo=ENUM
	      New  management  key  algorithm  to  use	for action set-mgm-key
	      (possible	 values="TDES",	 "AES128",  "AES192",	"AES256"   de-
	      fault=`TDES')

       --scp11
	      Communication  with  the YubiKey is done over an encrypted chan-
	      nel. DEPRECATED! Please  use  the	 '--enc'  flag	instead	  (de-
	      fault=off)

       --enc  Communication with the YubiKey is	done over an encrypted channel
	      (default=off)

yubico-piv-tool	2.7.2		 November 2025		    YUBICO-PIV-TOOL(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=yubico-piv-tool&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help