update documentation and help output for how to specify secrets on stdin
also update all examples to have no space after short option.
This commit is contained in:
@@ -96,33 +96,30 @@ key on stdout:
|
||||
Generate a certificate request with public key from stdin, will print
|
||||
the resulting request on stdout:
|
||||
|
||||
$ yubico-piv-tool -s 9a -S '/CN=foo/OU=test/O=example.com/' -P 123456 \
|
||||
-a verify -a request
|
||||
$ yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify -arequest
|
||||
|
||||
Generate a self-signed certificate with public key from stdin, will print
|
||||
the certificate, for later import, on stdout:
|
||||
|
||||
$ yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 \
|
||||
-a verify -a selfsign
|
||||
$ yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify -aselfsign
|
||||
|
||||
Import a certificate from stdin:
|
||||
|
||||
$ yubico-piv-tool -s9a -aimport-certificate
|
||||
|
||||
Set a random chuid, import a key and import a certificate from a PKCS12
|
||||
file with password test, into slot 9c:
|
||||
file, into slot 9c:
|
||||
|
||||
$ yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \
|
||||
-a import-key -a import-cert
|
||||
$ yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid -aimport-key \
|
||||
-aimport-cert
|
||||
|
||||
Change the management key used for administrative authentication:
|
||||
|
||||
$ yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \
|
||||
-a set-mgm-key
|
||||
$ yubico-piv-tool -aset-mgm-key
|
||||
|
||||
Delete a certificate in slot 9a:
|
||||
Delete a certificate in slot 9a, with management key being asked for:
|
||||
|
||||
$ yubico-piv-tool -a delete-certificate -s 9a
|
||||
$ yubico-piv-tool -adelete-certificate -s9a -k
|
||||
|
||||
Show some information on certificates and other data:
|
||||
|
||||
@@ -131,7 +128,7 @@ Show some information on certificates and other data:
|
||||
Read out the certificate from a slot and then run a signature test:
|
||||
|
||||
$ yubico-piv-tool -aread-cert -s9a
|
||||
$ yubico-piv-tool -a verify-pin -P 123456 -a test-signature -s 9a
|
||||
$ yubico-piv-tool -averify-pin -atest-signature -s9a
|
||||
|
||||
Import a key into slot 85 (only available on YubiKey 4) and set the
|
||||
touch policy (also only available on YubiKey 4):
|
||||
|
||||
@@ -32,6 +32,10 @@ contactless interfaces (contrary to what the specifications mandate).
|
||||
You would typically change the management key to make sure nobody but
|
||||
you can modify the state of the PIV application on the YubiKey. Make sure to
|
||||
keep a copy of the key around for later use.
|
||||
All of these invocations will leave traces of keys and pins in the command line
|
||||
history, this can be avoided by leaving the argument out all-together and the
|
||||
software will ask for key/pin to be input. For the management key option (-k)
|
||||
this is achieved by leaving out the value but will specifying -k.
|
||||
|
||||
$ key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
|
||||
$ echo $key
|
||||
@@ -56,7 +60,7 @@ To generate a new private key:
|
||||
To reset PIN/PUK retry counter AND codes (default pin 123456 puk
|
||||
12345678):
|
||||
|
||||
$ yubico-piv-tool -k $key -a verify -P $pin -a pin-retries --pin-retries 3 --puk-retries 3
|
||||
$ yubico-piv-tool -k$key -averify -P$pin -apin-retries --pin-retries=3 --puk-retries=3
|
||||
|
||||
To reset the application (PIN/PUK need to be blocked hence trying a couple
|
||||
of times -- you need to modify this if you have changed the default
|
||||
|
||||
+5
-5
@@ -27,7 +27,7 @@
|
||||
|
||||
option "verbose" v "Print more information" int optional default="0" argoptional
|
||||
option "reader" r "Only use a matching reader" string optional default="Yubikey"
|
||||
option "key" k "Management key to use" string optional default="010203040506070801020304050607080102030405060708" argoptional
|
||||
option "key" k "Management key to use, if no value is specified key will be asked for" string optional default="010203040506070801020304050607080102030405060708" argoptional
|
||||
option "action" a "Action to take" values="version","generate","set-mgm-key",
|
||||
"reset","pin-retries","import-key","import-certificate","set-chuid",
|
||||
"request-certificate","verify-pin","change-pin","change-puk","unblock-pin",
|
||||
@@ -46,21 +46,21 @@ text "
|
||||
82-95 is for Retired Key Management\n"
|
||||
option "algorithm" A "What algorithm to use" values="RSA1024","RSA2048","ECCP256","ECCP384" enum optional default="RSA2048"
|
||||
option "hash" H "Hash to use for signatures" values="SHA1","SHA256","SHA384","SHA512" enum optional default="SHA256"
|
||||
option "new-key" n "New management key to use for action set-mgm-key" string optional
|
||||
option "new-key" n "New management key to use for action set-mgm-key, if omitted key will be asked for" string optional
|
||||
option "pin-retries" - "Number of retries before the pin code is blocked" int optional dependon="puk-retries"
|
||||
option "puk-retries" - "Number of retries before the puk code is blocked" int optional dependon="pin-retries"
|
||||
option "input" i "Filename to use as input, - for stdin" string optional default="-"
|
||||
option "output" o "Filename to use as output, - for stdout" string optional default="-"
|
||||
option "key-format" K "Format of the key being read/written" values="PEM","PKCS12","GZIP","DER","SSH" enum optional default="PEM"
|
||||
option "password" p "Password for decryption of private key file" string optional
|
||||
option "password" p "Password for decryption of private key file, if omitted password will be asked for" string optional
|
||||
option "subject" S "The subject to use for certificate request" string optional
|
||||
text "
|
||||
The subject must be written as:
|
||||
/CN=host.example.com/OU=test/O=example.com/\n"
|
||||
option "serial" - "Serial number of the self-signed certificate" int optional
|
||||
option "valid-days" - "Time (in days) until the self-signed certificate expires" int optional default="365"
|
||||
option "pin" P "Pin/puk code for verification" string optional
|
||||
option "new-pin" N "New pin/puk code for changing" string optional dependon="pin"
|
||||
option "pin" P "Pin/puk code for verification, if omitted pin/puk will be asked for" string optional
|
||||
option "new-pin" N "New pin/puk code for changing, if omitted pin/puk will be asked for" string optional dependon="pin"
|
||||
option "pin-policy" - "Set pin policy for action generate or import-key" values="never","once","always" enum optional
|
||||
option "touch-policy" - "Set touch policy for action generate, import-key or set-mgm-key" values="never","always","cached" enum optional
|
||||
option "id" - "Id of object for write/read object" int optional
|
||||
|
||||
+10
-12
@@ -42,24 +42,23 @@ key on stdout:
|
||||
Generate a certificate request with public key from stdin, will print
|
||||
the resulting request on stdout:
|
||||
|
||||
yubico-piv-tool -s 9a -S '/CN=foo/OU=test/O=example.com/' -P 123456 \
|
||||
-a verify -a request
|
||||
yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify -arequest
|
||||
|
||||
Generate a self-signed certificate with public key from stdin, will print
|
||||
the certificate, for later import, on stdout:
|
||||
|
||||
yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 \
|
||||
-a verify -a selfsign
|
||||
yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify \
|
||||
-aselfsign
|
||||
|
||||
Import a certificate from stdin:
|
||||
|
||||
yubico-piv-tool -s9a -aimport-certificate
|
||||
|
||||
Set a random chuid, import a key and import a certificate from a PKCS12
|
||||
file with password test, into slot 9c:
|
||||
file, into slot 9c:
|
||||
|
||||
yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \
|
||||
-a import-key -a import-cert
|
||||
yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid -aimport-key \
|
||||
-aimport-cert
|
||||
|
||||
Import a certificate which is larger than 2048 bytes and thus requires
|
||||
compression in order to fit:
|
||||
@@ -69,12 +68,11 @@ compression in order to fit:
|
||||
|
||||
Change the management key used for administrative authentication:
|
||||
|
||||
yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \
|
||||
-a set-mgm-key
|
||||
yubico-piv-tool -aset-mgm-key
|
||||
|
||||
Delete a certificate in slot 9a:
|
||||
Delete a certificate in slot 9a, with management key being asked for:
|
||||
|
||||
yubico-piv-tool -a delete-certificate -s 9a
|
||||
yubico-piv-tool -adelete-certificate -s9a -k
|
||||
|
||||
Show some information on certificates and other data:
|
||||
|
||||
@@ -83,4 +81,4 @@ Show some information on certificates and other data:
|
||||
Read out the certificate from a slot and then run a signature test:
|
||||
|
||||
yubico-piv-tool -aread-cert -s9a
|
||||
yubico-piv-tool -a verify-pin -P 123456 -a test-signature -s 9a
|
||||
yubico-piv-tool -averify-pin -atest-signature -s9a
|
||||
|
||||
+10
-11
@@ -42,23 +42,23 @@ key on stdout:
|
||||
Generate a certificate request with public key from stdin, will print
|
||||
the resulting request on stdout:
|
||||
|
||||
yubico\-piv\-tool \-s 9a \-S '/CN=foo/OU=test/O=example.com/' \-P 123456 \\
|
||||
\-a verify \-a request
|
||||
yubico\-piv\-tool \-s9a \-S'/CN=foo/OU=test/O=example.com/' \-averify \\
|
||||
\-arequest
|
||||
|
||||
Generate a self\-signed certificate with public key from stdin, will print
|
||||
the certificate, for later import, on stdout:
|
||||
|
||||
yubico\-piv\-tool \-s 9a \-S '/CN=bar/OU=test/O=example.com/' \-P 123456 \\
|
||||
\-a verify \-a selfsign
|
||||
yubico\-piv\-tool \-s9a \-S'/CN=bar/OU=test/O=example.com/' \-averify \\
|
||||
\-aselfsign
|
||||
|
||||
Import a certificate from stdin:
|
||||
|
||||
yubico\-piv\-tool \-s9a \-aimport\-certificate
|
||||
|
||||
Set a random chuid, import a key and import a certificate from a PKCS12
|
||||
file with password test, into slot 9c:
|
||||
file, into slot 9c:
|
||||
|
||||
yubico\-piv\-tool \-s 9c \-i test.pfx \-K PKCS12 \-p test \-a set\-chuid \\
|
||||
yubico\-piv\-tool \-s9c \-itest.pfx \-KPKCS12 \-aset\-chuid \\
|
||||
\-aimport\-key \-aimport\-cert
|
||||
|
||||
Import a certificate which is larger than 2048 bytes and thus requires
|
||||
@@ -69,12 +69,11 @@ compression in order to fit:
|
||||
|
||||
Change the management key used for administrative authentication:
|
||||
|
||||
yubico\-piv\-tool \-n 0807605403020108070605040302010807060504030201 \\
|
||||
\-a set\-mgm\-key
|
||||
yubico\-piv\-tool \-aset\-mgm\-key
|
||||
|
||||
Delete a certificate in slot 9a:
|
||||
Delete a certificate in slot 9a, with management key being asked for:
|
||||
|
||||
yubico\-piv\-tool \-a delete\-certificate \-s 9a
|
||||
yubico\-piv\-tool \-adelete\-certificate \-s9a \-k
|
||||
|
||||
Show some information on certificates and other data:
|
||||
|
||||
@@ -83,7 +82,7 @@ Show some information on certificates and other data:
|
||||
Read out the certificate from a slot and then run a signature test:
|
||||
|
||||
yubico\-piv\-tool \-aread\-cert \-s9a
|
||||
yubico\-piv\-tool \-a verify\-pin \-P 123456 \-a test\-signature \-s 9a
|
||||
yubico\-piv\-tool \-averify\-pin \-atest\-signature \-s9a
|
||||
|
||||
Import a key into slot 85 (only available on YubiKey 4) and set the
|
||||
touch policy (also only available on YubiKey 4):
|
||||
|
||||
Reference in New Issue
Block a user