update documentation and help output for how to specify secrets on stdin

also update all examples to have no space after short option.
This commit is contained in:
Klas Lindfors
2017-04-19 13:54:24 +02:00
parent a7ef1315f4
commit 9dfe04cd06
5 changed files with 72 additions and 74 deletions
+5 -5
View File
@@ -27,7 +27,7 @@
option "verbose" v "Print more information" int optional default="0" argoptional
option "reader" r "Only use a matching reader" string optional default="Yubikey"
option "key" k "Management key to use" string optional default="010203040506070801020304050607080102030405060708" argoptional
option "key" k "Management key to use, if no value is specified key will be asked for" string optional default="010203040506070801020304050607080102030405060708" argoptional
option "action" a "Action to take" values="version","generate","set-mgm-key",
"reset","pin-retries","import-key","import-certificate","set-chuid",
"request-certificate","verify-pin","change-pin","change-puk","unblock-pin",
@@ -46,21 +46,21 @@ text "
82-95 is for Retired Key Management\n"
option "algorithm" A "What algorithm to use" values="RSA1024","RSA2048","ECCP256","ECCP384" enum optional default="RSA2048"
option "hash" H "Hash to use for signatures" values="SHA1","SHA256","SHA384","SHA512" enum optional default="SHA256"
option "new-key" n "New management key to use for action set-mgm-key" string optional
option "new-key" n "New management key to use for action set-mgm-key, if omitted key will be asked for" string optional
option "pin-retries" - "Number of retries before the pin code is blocked" int optional dependon="puk-retries"
option "puk-retries" - "Number of retries before the puk code is blocked" int optional dependon="pin-retries"
option "input" i "Filename to use as input, - for stdin" string optional default="-"
option "output" o "Filename to use as output, - for stdout" string optional default="-"
option "key-format" K "Format of the key being read/written" values="PEM","PKCS12","GZIP","DER","SSH" enum optional default="PEM"
option "password" p "Password for decryption of private key file" string optional
option "password" p "Password for decryption of private key file, if omitted password will be asked for" string optional
option "subject" S "The subject to use for certificate request" string optional
text "
The subject must be written as:
/CN=host.example.com/OU=test/O=example.com/\n"
option "serial" - "Serial number of the self-signed certificate" int optional
option "valid-days" - "Time (in days) until the self-signed certificate expires" int optional default="365"
option "pin" P "Pin/puk code for verification" string optional
option "new-pin" N "New pin/puk code for changing" string optional dependon="pin"
option "pin" P "Pin/puk code for verification, if omitted pin/puk will be asked for" string optional
option "new-pin" N "New pin/puk code for changing, if omitted pin/puk will be asked for" string optional dependon="pin"
option "pin-policy" - "Set pin policy for action generate or import-key" values="never","once","always" enum optional
option "touch-policy" - "Set touch policy for action generate, import-key or set-mgm-key" values="never","always","cached" enum optional
option "id" - "Id of object for write/read object" int optional
+16 -18
View File
@@ -32,55 +32,53 @@ to any command. For much more information --verbose=2 may be used.
Display what version of the application is running on the YubiKey:
yubico-piv-tool -a version
yubico-piv-tool -aversion
Generate a new ECC-P256 key on device in slot 9a, will print the public
key on stdout:
yubico-piv-tool -s 9a -A ECCP256 -a generate
yubico-piv-tool -s9a -AECCP256 -agenerate
Generate a certificate request with public key from stdin, will print
the resulting request on stdout:
yubico-piv-tool -s 9a -S '/CN=foo/OU=test/O=example.com/' -P 123456 \
-a verify -a request
yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify -arequest
Generate a self-signed certificate with public key from stdin, will print
the certificate, for later import, on stdout:
yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 \
-a verify -a selfsign
yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify \
-aselfsign
Import a certificate from stdin:
yubico-piv-tool -s 9a -a import-certificate
yubico-piv-tool -s9a -aimport-certificate
Set a random chuid, import a key and import a certificate from a PKCS12
file with password test, into slot 9c:
file, into slot 9c:
yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \
-a import-key -a import-cert
yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid -aimport-key \
-aimport-cert
Import a certificate which is larger than 2048 bytes and thus requires
compression in order to fit:
openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
yubico-piv-tool -s 9c -i der.gz -K GZIP -a import-cert
yubico-piv-tool -s9c -ider.gz -KGZIP -aimport-cert
Change the management key used for administrative authentication:
yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \
-a set-mgm-key
yubico-piv-tool -aset-mgm-key
Delete a certificate in slot 9a:
Delete a certificate in slot 9a, with management key being asked for:
yubico-piv-tool -a delete-certificate -s 9a
yubico-piv-tool -adelete-certificate -s9a -k
Show some information on certificates and other data:
yubico-piv-tool -a status
yubico-piv-tool -astatus
Read out the certificate from a slot and then run a signature test:
yubico-piv-tool -a read-cert -s 9a
yubico-piv-tool -a verify-pin -P 123456 -a test-signature -s 9a
yubico-piv-tool -aread-cert -s9a
yubico-piv-tool -averify-pin -atest-signature -s9a
+18 -19
View File
@@ -32,60 +32,59 @@ to any command. For much more information \-\-verbose=2 may be used.
Display what version of the application is running on the YubiKey:
yubico\-piv\-tool \-a version
yubico\-piv\-tool \-aversion
Generate a new ECC\-P256 key on device in slot 9a, will print the public
key on stdout:
yubico\-piv\-tool \-s 9a \-A ECCP256 \-a generate
yubico\-piv\-tool \-s9a \-AECCP256 \-agenerate
Generate a certificate request with public key from stdin, will print
the resulting request on stdout:
yubico\-piv\-tool \-s 9a \-S '/CN=foo/OU=test/O=example.com/' \-P 123456 \\
\-a verify \-a request
yubico\-piv\-tool \-s9a \-S'/CN=foo/OU=test/O=example.com/' \-averify \\
\-arequest
Generate a self\-signed certificate with public key from stdin, will print
the certificate, for later import, on stdout:
yubico\-piv\-tool \-s 9a \-S '/CN=bar/OU=test/O=example.com/' \-P 123456 \\
\-a verify \-a selfsign
yubico\-piv\-tool \-s9a \-S'/CN=bar/OU=test/O=example.com/' \-averify \\
\-aselfsign
Import a certificate from stdin:
yubico\-piv\-tool \-s 9a \-a import\-certificate
yubico\-piv\-tool \-s9a \-aimport\-certificate
Set a random chuid, import a key and import a certificate from a PKCS12
file with password test, into slot 9c:
file, into slot 9c:
yubico\-piv\-tool \-s 9c \-i test.pfx \-K PKCS12 \-p test \-a set\-chuid \\
\-a import\-key \-a import\-cert
yubico\-piv\-tool \-s9c \-itest.pfx \-KPKCS12 \-aset\-chuid \\
\-aimport\-key \-aimport\-cert
Import a certificate which is larger than 2048 bytes and thus requires
compression in order to fit:
openssl x509 \-in cert.pem \-outform DER | gzip \-9 > der.gz
yubico\-piv\-tool \-s 9c \-i der.gz \-K GZIP \-a import\-cert
yubico\-piv\-tool \-s9c \-ider.gz \-KGZIP \-aimport\-cert
Change the management key used for administrative authentication:
yubico\-piv\-tool \-n 0807605403020108070605040302010807060504030201 \\
\-a set\-mgm\-key
yubico\-piv\-tool \-aset\-mgm\-key
Delete a certificate in slot 9a:
Delete a certificate in slot 9a, with management key being asked for:
yubico\-piv\-tool \-a delete\-certificate \-s 9a
yubico\-piv\-tool \-adelete\-certificate \-s9a \-k
Show some information on certificates and other data:
yubico\-piv\-tool \-a status
yubico\-piv\-tool \-astatus
Read out the certificate from a slot and then run a signature test:
yubico\-piv\-tool \-a read\-cert \-s 9a
yubico\-piv\-tool \-a verify\-pin \-P 123456 \-a test\-signature \-s 9a
yubico\-piv\-tool \-aread\-cert \-s9a
yubico\-piv\-tool \-averify\-pin \-atest\-signature \-s9a
Import a key into slot 85 (only available on YubiKey 4) and set the
touch policy (also only available on YubiKey 4):
yubico-piv-tool \-a import\-key \-s 85 \-\-touch-policy=always \-i key.pem
yubico-piv-tool \-aimport\-key \-s85 \-\-touch-policy=always \-ikey.pem