Use the given reader. The default is the first reader with a card.

Wait for a card to be inserted

Print help message on screen.

Prints the version of the utility and exits.

Prints all data fields from the card, like validity period, document number etc.

Prints key usage statistics (only for Estonian ID card).

Executes the given program with data in environment variables.

Display information about the card or token.

Format the card or token.

Specify the reader number number to use. The default is reader 0.

Use the card driver specified by name. The default is to auto-detect the correct card driver.

Causes cardos-tool to wait for the token to be inserted into reader.

Causes cardos-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Verifies CHV1 before issuing commands

Lists all keys stored in a public key file

Creates new RSA key files for arg keys

Creates new PIN file for CHVid

Generate a new RSA key pair

Reads a public key from the card, allowing the user to extract and store or use the public key

Specifies the key number to operate on. The default is key number 1.

Specifies the DF to operate in

Specifies the private key file id, id, to use

Specifies the public key file id, id, to use

Specifies the RSA exponent, exp, to use in key generation. The default value is 3.

Specifies the modulus length to use in key generation. The default value is 1024.

Forces cryptoflex-tool to use reader number num for operations. The default is to use reader number 0, the first reader in the system.

Causes cryptoflex-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Displays a short help message.

Use smart card in specified reader. Default is reader 0.

Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity.

Specifies the current value of the global PIN.

Specifies the current value of the global PUK.

Specifies the current value of the local PIN0 (aka local PIN).

Specifies the current value of the local PIN1 (aka local PUK).

This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.

This changes the value of the specified pin to the given new value. You must specify either the current value of the pin or another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.

This command can be executed only if the global PIN of your card is in nullpin-state. There's no way to return back to nullpin-state once you have changed your global PIN. You don't need a pin to execute the nullpin-command. After a succesfull nullpin-command netkey-tool will display your cards initial PUK-value.

This command will read one of your cards certificates (as specified by number) and save this certificate into file filename in PEM-format. Certificates on a NetKey E4 card are readable without a pin, so you don't have to specify one.

This command will read the first PEM-encoded certificate from file filename and store this into your smart cards certificate file number. Some of your smart cards certificate files might be readonly, so this will not work with all values of number. If a certificate file is writable you must specify a pin in order to change it. If you try to use this command without specifying a pin, netkey-tool will tell you which one is needed.

Print information about OpenSC, such as version and enabled components

Print the Answer To Reset (ATR) of the card, output is in hex byte format

Print the name of the inserted card (driver)

Print the card serial number (normally the ICCSN), output is in hex byte format

Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF...

Recursively lists all files stored on card

Lists all configured readers

Lists all installed card drivers

Use the given reader number. The default is 0, the first reader in the system.

Use the given card driver. The default is auto-detected.

Wait for a card to be inserted

Causes opensc-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Use the given reader number. The default is 0, the first reader in the system.

Use the given card driver. The default is auto-detected.

Select the file referenced by the given path on startup. The default is the path to the standard master file, 3F00. If path is empty (e.g. opensc-explorer --mf ""), then no file is explicitly selected.

Wait for a card to be inserted

Causes opensc-explorer to be more verbose. Specify this flag several times to enable debug output in the opensc library.

list all files in the current DF

change to another DF specified by file-id

print the contents of the currently selected EF or the contents of a file specified by file-id or sfi-id.

display attributes of a file specified by file-id. If file-id is not supplied, the attributes of the current file are printed.

create a new EF. file-id specifies the id number and size is the size of the new file.

remove the EF or DF specified by file-id

remove the EF or DF specified by file-id

present a PIN or key to the card. Where key-type can be one of CHV, KEY or PRO. key-id is a number representing the key or PIN reference. key is the key or PIN to be verified in hex.

If key is omitted, PIN will be verified with PIN-Pad.

Example: verify CHV0 31:32:33:34:00:00:00:00

change a PIN, where id is the PIN reference

Examples:

Change PIN: change CHV2 00:00:00:00:00:00 "foobar"

Set PIN: change CHV2 "foobar"

Change PIN with pinpad: change CHV2

copy a local file to the card. The local file is specified by input while the card file is specified by file-id.

copy an EF to a local file. The local file is specified by output while the card file is specified by file-id.

If output is ommited, the name of the output file will be derivated from the full card path to file-id.

update internal card's 'tagged' data.

hex-tag is the tag of the card's data. input is the filename of the source file or the literal data presented as a sequence of hexadecimal values or '"' enclosed string.

copy the internal card's 'tagged' data into the local file.

The local file is specified by output while the tag of the card's data is specified by hex-tag.

If output is ommited, the name of the output file will be derivated from hex-tag.

create a DF. file-id specifies the id number and size is the size of the new file.

erase the card, if the card supports it.

generate random sequence of count bytes.

update record specified by rec_nr of the file specified by file-id with the literal data data starting from offset specified by rec_offs.

data can be supplied as a sequence of the hex values or as a '"' encolsed string.

binary update of the file specified by file-id with the literal data data starting from offset specified by offs.

data can be supplied as a sequence of the hex values or as a '"' encolsed string.

set OpenSC debug level to level.

If level is ommited the current debug level will be shown.

send a custom APDU command hex_data.

parse and print the ASN1 encoded content of the file specified by file-id.

exit the program.

Print the derived card serial number from the CHUID object if any. output is in hex byte format.

Print the name of the inserted card (driver)

Authenticate to the card using a 2DES or 3DES key. An arguement {A|M}:{ref}:{alg} is required, were A uses "EXTERNAL AUTHENTICATION" and M uses "MUTUAL AUTHENTICATION". ref is normally 9B, and alg is 03 for 3DES. The key is provided by card vendor, and the environment variable PIV_EXT_AUTH_KEY must point to a text file with the key in the format: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Generate a key pair on the card and output the public key. An argument {ref}:{alg} is required, where ref is 9A, 9C, 9D or 9E and alg is 06, 07, 11 or 14 for RSA 1024, RSA 2048, ECC 256 or ECC 384.

Load an object on to the card. The ContainerID is defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000

Load a certificate on to the card. ref is 9A, 9C, 9D or 9E

Load a certificate that has been gziped on to the card. ref is 9A, 9C, 9D or 9E

Output file for any operation that produces output.

Input file for any operation that requires an input file.

Print properties of the key slots. Needs 'admin' authentication.

Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF... This option may be repeated.

Use the given reader number. The default is 0, the first reader in the system.

Use the given card driver. The default is auto-detected.

Wait for a card to be inserted

Causes piv-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line.

Use the given pin for token operations. WARNING: Be careful using this option as other users may be able to read the command line from the system or if it is embedded in a script.

This option will also set the --login option.

Use the given pin as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc). The same warning as --pin also applies here.

Initializes a token: set the token label as well as a Security Officer PIN (the label must be specified using --label).

Initializes the user PIN. This option differs from --change-pin in that it sets the user PIN for the first time. Once set, the user PIN can be changed using --change-pin.

Change the user PIN on the token

Performs some tests on the token. This option is most useful when used with either --login or --pin.

Displays general token information.

Displays a list of available slots on the token.

Displays a list of mechanisms supported by the token.

Displays a list of objects.

Sign some data.

Hash some data.

Use the specified mechanism for token operations. See -M for a list of mechanisms supported by your token.

Generate a new key pair (public and private pair.)

Write a key or certificate object to the token. path points to the DER-encoded certificate or key file.

Specify the type of object to operate on. Examples are cert, privkey and pubkey.

Specify the id of the object to operate on.

Specify the name of the object to operate on (or the token label when --init-token is used).

Specify the id of the slot to use.

Specify the description of the slot to use.

Specify the index of the slot to use.

Specify the label of token. Will be used the first slot, that has the inserted token with this label.

Set the CKA_ID of the object.

Extract information from path (DER-encoded certificate file) and create the corresponding attributes when writing an object to the token. Example: the certificate subject name is used to create the CKA_SUBJECT attribute.

Specify the path to a file for input.

Specify the path to a file for output.

Specify a PKCS#11 module (or library) to load.

Tests a Mozilla-like keypair generation and certificate request. Specify the path to the certificate file.

Causes pkcs11-tool to be more verbose.

NB! This does not affect OpenSC debugging level! To set OpenSC PKCS#11 module into debug mode, set the OPENSC_DEBUG environment variable to a non-zero number.

Perform digital signature operation on the data read from a file specified using the input option. By default, the contents of the file are assumed to be the result of an MD5 hash operation. Note that pkcs15-crypt expects the data in binary representation, not ASCII.

The digital signature is stored, in binary representation, in the file specified by the output option. If this option is not given, the signature is printed on standard output, displaying non-printable characters using their hex notation xNN (see also --raw).

By default, pkcs15-crypt assumes that input data has been padded to the correct length (i.e. when computing an RSA signature using a 1024 bit key, the input must be padded to 128 bytes to match the modulus length). When giving the --pkcs1 option, however, pkcs15-crypt will perform the required padding using the algorithm outlined in the PKCS #1 standard version 1.5.

This option tells pkcs15-crypt that the input file is the result of an SHA1 hash operation, rather than an MD5 hash. Again, the data must be in binary representation.

Decrypt the contents of the file specified by the --input option. The result of the decryption operation is written to the file specified by the --output option. If this option is not given, the decrypted data is printed to standard output, displaying non-printable characters using their hex notation xNN (see also --raw).

Selects the ID of the key to use.

Selects the N-th smart card reader configured by the system. If unspecified, pkcs15-crypt will use the first reader found.

Specifies the input file to use.

Any output will be sent to the specified file.

Outputs raw 8 bit data.

When the cryptographic operation requires a PIN to access the key, pkcs15-crypt will prompt the user for the PIN on the terminal. Using this option allows you to specify the PIN on the command line.

Note that on most operating systems, the command line of a process can be displayed by any user using the ps(1) command. It is therefore a security risk to specify secret information such as PINs on the command line. If you specify '-' as PIN, it will be read from STDIN.

Specify in a hexadecimal form the AID of the on-card PKCS#15 application to be binded to.

Causes pkcs15-crypt to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Cache PKCS #15 token data to the local filesystem. Subsequent operations are performed on the cached data where possible. If the cache becomes out-of-sync with the token state (eg. new key is generated and stored on the token), the cache should be updated or operations may show stale results.

List the on-card PKCS#15 applications

Reads the certificate with the given id.

Lists all certificates stored on the token.

Reads data object with OID, applicationName or label.

Verify PIN after card binding and before issuing any command (without 'auth-id' the first non-SO, non-Unblock PIN will be verified)

Lists all data objects stored on the token. For some cards the PKCS#15 attributes of the private data objects are protected for reading and need the authentication with the User PIN. In such a case the --verify-pin option has to be used.

Lists all PINs stored on the token. General information about each PIN is listed (eg. PIN name). Actual PIN values are not shown.

Dump card objects.

Changes a PIN or PUK stored on the token. User authentication is required for this operation.

Unblocks a PIN stored on the token. Knowledge of the Pin Unblock Key (PUK) is required for this operation.

Lists all private keys stored on the token. General information about each private key is listed (eg. key name, id and algorithm). Actual private key values are not displayed. For some cards the PKCS#15 attributes of the private keys are protected for reading and need the authentication with the User PIN. In such a case the --verify-pin option has to be used.

Lists all public keys stored on the token, including key name, id, algorithm and length information.

Reads the public key with id id, allowing the user to extract and store or use the public key.

Reads the public key with id id, writing the output in format suitable for $HOME/.ssh/authorized_keys.

Specifies where key output should be written. If filename already exists, it will be overwritten. If this option is not given, keys will be printed to standard output.

Disables token data caching.

Specifies the auth id of the PIN to use for the operation. This is useful with the --change-pin operation.

Specify in a hexadecimal form the AID of the on-card PKCS#15 application to be binded to.

Forces pkcs15-tool to use reader number num for operations. The default is to use reader number 0, the first reader in the system.

Causes pkcs15-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Tells pkcs15-init to load the specified general profile. Currently, the only application profile defined is pkcs15, but you can write your own profiles and specify them using this option.

The profile name can be combined with one or more profile options, which slightly modify the profile's behavior. For instance, the default OpenSC profile supports the openpin option, which installs a single PIN during card initialization. This PIN is then used both as the SO PIN as well as the user PIN for all keys stored on the card.

Profile name and options are separated by a + character, as in pkcs15+onepin.

Tells pkcs15-init to load the specified card profile option. You will rarely need this option.

This tells pkcs15-init to create a PKCS #15 structure on the card, and initialize any PINs.

This will erase the card prior to creating the PKCS #15 structure, if the card supports it. If the card does not support erasing, pkcs15-init will fail.

Tells the card to generate new key and store it on the card. keyspec consists of an algorithm name (currently, the only supported name is RSA), optionally followed by a slash and the length of the key in bits. It is a good idea to specify the key ID along with this command, using the id option, otherwise an intrinsic ID will be calculated from the key material. Look the description of the 'pkcs15-id-style' attribut in the 'pkcs15.profile' for the details about the algorithm used to calculate intrinsic ID. For the multi-application cards the target PKCS#15 application can be specified by the hexadecimal AID value of the aid option.

Tells pkcs15-init to download the specified private key to the card. This command will also create a public key object containing the public key portion. By default, the file is assumed to contain the key in PEM format. Alternative formats can be specified using --format. It is a good idea to specify the key ID along with this command, using the --id option, otherwise an intrinsic ID will be calculated from the key material. Look the description of the 'pkcs15-id-style' attribut in the 'pkcs15.profile' for the details about the algorithm used to calculate intrinsic ID. For the multi-application cards the target PKCS#15 application can be specified by the hexadecimal AID value of the aid option.

Tells pkcs15-init to download the specified public key to the card and create a public key object with the key ID specified via the --id. By default, the file is assumed to contain the key in PEM format. Alternative formats can be specified using --format.

Tells pkcs15-init to store the certificate given in filename on the card, creating a certificate object with the ID specified via the --id option. Without supplied ID an intrisic ID will be calculated from the certificate's public key. Look the description of the 'pkcs15-id-style' attribut in the 'pkcs15.profile' for the details about the algorithm used to calculate intrinsic ID. The file is assumed to contain the PEM encoded certificate. For the multi-application cards the target application can be specified by the hexadecimal AID value of the aid option.

Tells pkcs15-init to update the certificate object with the ID specified via the --id option with the certificate in filename. The file is assumed to contain a PEM encoded certificate.

Pay extra attention when updating mail decryption certificates, as missing certificates can render e-mail messages unreadable!

Tells pkcs15-init to not ask for the transport keys and use default keys, as known by the card driver.

These options can be used to specify PIN/PUK values on the command line. Note that on most operation systems, any user can display the command line of any process on the system using utilities such as ps(1). Therefore, you should use these options only on a secured system, or in an options file specified with --options-file.

Tells pkcs15-init to read additional options from filename. The file is supposed to contain one long option per line, without the leading dashes, for instance:

	pin		frank
	puk		zappa

You can specify --options-file several times.

Causes pkcs15-init to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Use the given reader. The default is the first reader with a card.

Wait for a card to be inserted

Generate a private key on smart card. The smart card must be not finalized and a PIN must be installed (ie. file for PIN must be created, see option -i). By default key length is 1536 bits. User authentication is required for this operation.

Overwrite the key if there is already a key on card.

Change the length of private key, use with -g.

Install PIN file in token, you must provide PIN value with -x.

set value of PIN.

set value of PUK (or value of new PIN for change PIN command see -n).

Changes a PIN stored on the token. User authentication is required for this operation.

Unblocks a PIN stored on the token. Knowledge of the PIN Unblock Key (PUK) is required for this operation.

Write certificate file in PEM format to the card. User authentication is required for this operation.

Finalize the card. Once finalized the default key is invalidated so PIN and PUK can't be changed anymore without user authentication. Warning, un-finalized are insecure because PIN can be changed without user authentication (knowledge of default key is enough).

Get the file path the file is written on disk with path name. User authentication is required for this operation.

Put the file with name path from disk to card the file is written in path. User authentication is required for this operation.

Print help message on screen.

Causes westcos-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.