# Copyright (c) 2014, 2015 Yubico AB # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are # met: # # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. [EXAMPLES] For more information about what's happening \-\-verbose can be added to any command. For much more information \-\-verbose=2 may be used. Display what version of the application is running on the YubiKey: yubico\-piv\-tool \-a version Generate a new ECC\-P256 key on device in slot 9a, will print the public key on stdout: yubico\-piv\-tool \-s 9a \-A ECCP256 \-a generate Generate a certificate request with public key from stdin, will print the resulting request on stdout: yubico\-piv\-tool \-s 9a \-S '/CN=foo/OU=test/O=example.com/' \-P 123456 \\ \-a verify \-a request Generate a self\-signed certificate with public key from stdin, will print the certificate, for later import, on stdout: yubico\-piv\-tool \-s 9a \-S '/CN=bar/OU=test/O=example.com/' \-P 123456 \\ \-a verify \-a selfsign Import a certificate from stdin: yubico\-piv\-tool \-s 9a \-a import\-certificate Set a random chuid, import a key and import a certificate from a PKCS12 file with password test, into slot 9c: yubico\-piv\-tool \-s 9c \-i test.pfx \-K PKCS12 \-p test \-a set\-chuid \\ \-a import\-key \-a import\-cert Import a certificate which is larger than 2048 bytes and thus requires compression in order to fit: openssl x509 \-in cert.pem \-outform DER | gzip \-9 > der.gz yubico\-piv\-tool \-s 9c \-i der.gz \-K GZIP \-a import\-cert Change the management key used for administrative authentication: yubico\-piv\-tool \-n 0807605403020108070605040302010807060504030201 \\ \-a set\-mgm\-key Delete a certificate in slot 9a: yubico\-piv\-tool \-a delete\-certificate \-s 9a Show some information on certificates and other data: yubico\-piv\-tool \-a status Read out the certificate from a slot and then run a signature test: yubico\-piv\-tool \-a read\-cert \-s 9a yubico\-piv\-tool \-a verify\-pin \-P 123456 \-a test\-signature \-s 9a Import a key into slot 85 (only available on YubiKey 4) and set the touch policy (also only available on YubiKey 4): yubico-piv-tool \-a import\-key \-s 85 \-\-touch-policy=always \-i key.pem