Print the installed version of OpenSC to standard output.

Print the linker flags that are needed to compile a program to use the OpenSC libraries.

Print the compiler flags that are needed to compile a program to use the OpenSC libraries.

If specified, use PREFIX instead of the installation prefix that OpenSC was built with when computing the output for the --cflags and --libs options. This option is also used for the exec prefix if --exec-prefix was not specified. This option must be specified before any --libs or --cflags options.

If specified, use PREFIX instead of the installation exec prefix that OpenSC was built with when computing the output for the --cflags and --libs options. This option must be specified before any --libs or --cflags options.

Print the Answer To Reset (ATR) of the card, output is in hex byte format

Print the card serial number (normally the ICCSN), output is in hex byte format

Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF...

Recursively lists all files stored on card

Lists all configured readers

Lists all installed card drivers

Lists all installed reader drivers

Use the given reader number. The default is 0, the first reader in the system.

Use the given card driver. The default is auto-detected.

Causes opensc-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Use the given reader number. The default is 0, the first reader in the system.

Use the given card driver. The default is auto-detected.

Causes opensc-explorer to be more verbose. Specify this flag several times to enable debug output in the opensc library.

list all files in the current DF

change to another DF specified by file-id

print the contents of the currently selected EF

display attributes of a file specified by file-id. If file-id is not supplied, the attributes of the current file are printed.

create a new EF. file-id specifies the id number and size is the size of the new file.

remove the EF or DF specified by file-id

present a PIN or key to the card. Where key-type can be one of CHV, KEY or PRO. key-id is a number representing the key or PIN number. key is the key or PIN to be verified in hex.

Example: verify CHV0 31:32:33:34:00:00:00:00

change a PIN

Example: change CHV0 31:32:33:34:00:00:00:00 'secret'

copy a local file to the card. The local file is specified by input while the card file is specified by file-id

copy an EF to a local file. The local file is specified by output while the card file is specified by file-id.

create a DF. file-id specifies the id number and size is the size of the new file.

create a public key signature. NOTE: This command is currently not implemented.

perform a public key decryption. NOTE: This command is currently not implemented.

erase the card, if the card supports it.

exit the program

Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line.

Use the given pin for token operations. WARNING: Be careful using this option as other users may be able to read the command line from the system or if it is embedded in a script.

This option will also set the --login option.

Use the given pin as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc). The same warning as --pin also applies here.

Initializes a token: set the token label as well as a Security Officer PIN (the label must be specified using --label).

Initializes the user PIN. This option differs from --change-pin in that it sets the user PIN for the first time. Once set, the user PIN can be changed using --change-pin.

Change the user PIN on the token

Performs some tests on the token. This option is most useful when used with either --login or --pin.

Displays general token information.

Displays a list of available slots on the token.

Displays a list of mechanisms supported by the token.

Displays a list of objects.

Sign some data.

Hash some data.

Use the specified mechanism for token operations. See -M for a list of mechanisms supported by your token.

Generate a new key pair (public and private pair.)

Write a key or certificate object to the token.

Specify the type of object to operate on. Examples are cert, privkey and pubkey.

Specify the id of the object to operate on.

Specify the name of the object to operate on (or the token label when --init-token is used).

Specify the id of the slot to use.

Specify the name of the slot to use.

Set the CKA_ID of the object.

Extract information from path (DER-encoded certificate file) and create the corresponding attributes when writing an object to the token. Example: the certificate subject name is used to create the CKA_SUBJECT attribute.

Specify the path to a file for input.

Specify the path to a file for output.

Specify a PKCS#11 module (or library) to load.

Tests a Mozilla-like keypair generation and certificate request. Specify the path to the certificate file.

Causes pkcs11-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Perform digital signature operation on the data read from a file specified using the input option. By default, the contents of the file are assumed to be the result of an MD5 hash operation. Note that pkcs15-crypt expects the data in binary representation, not ASCII.

The digital signature is stored, in binary representation, in the file specified by the output option. If this option is not given, the signature is printed on standard output, displaying non-printable characters using their hex notation xNN (see also --raw).

By default, pkcs15-crypt assumes that input data has been padded to the correct length (i.e. when computing an RSA signature using a 1024 bit key, the input must be padded to 128 bytes to match the modulus length). When giving the --pkcs1 option, however, pkcs15-crypt will perform the required padding using the algorithm outlined in the PKCS #1 standard version 1.5.

This option tells pkcs15-crypt that the input file is the result of an SHA1 hash operation, rather than an MD5 hash. Again, the data must be in binary representation.

Decrypt the contents of the file specified by the --input option. The result of the decryption operation is written to the file specified by the --output option. If this option is not given, the decrypted data is printed to standard output, displaying non-printable characters using their hex notation xNN (see also --raw).

Selects the ID of the key to use.

Selects the N-th smart card reader configured by the system. If unspecified, pkcs15-crypt will use the first reader found.

Specifies the input file to use.

Any output will be sent to the specified file.

Outputs raw 8 bit data.

When the cryptographic operation requires a PIN to access the key, pkcs15-crypt will prompt the user for the PIN on the terminal. Using this option allows you to specify the PIN on the command line.

Note that on most operating systems, the command line of a process can be displayed by any user using the ps(1) command. It is therefore a security risk to specify secret information such as PINs on the command line. If you specify '-' as PIN, it will be read from STDIN.

Causes pkcs15-crypt to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Cache PKCS #15 token data to the local filesystem. Subsequent operations are performed on the cached data where possible. If the cache becomes out-of-sync with the token state (eg. new key is generated and stored on the token), the cache should be updated or operations may show stale results.

Reads the certificate with the given id.

Lists all certificates stored on the token.

Lists all PINs stored on the token. General information about each PIN is listed (eg. PIN name). Actual PIN values are not shown.

Changes a PIN stored on the token. User authentication is required for this operation.

Unblocks a PIN stored on the token. Knowledge of the Pin Unblock Key (PUK) is required for this operation.

Lists all private keys stored on the token. General information about each private key is listed (eg. key name, id and algorithm). Actual private key values are not displayed.

Lists all public keys stored on the token, including key name, id, algorithm and length information.

Reads the public key with id id, allowing the user to extract and store or use the public key.

Reads the public key with id id, writing the output in format suitable for $HOME/.ssh/authorized_keys.

Specifies where key output should be written. If filename already exists, it will be overwritten. If this option is not given, keys will be printed to standard output.

Disables token data caching.

Specifies the auth id of the PIN to use for the operation. This is useful with the --change-pin operation.

Forces pkcs15-tool to use reader number num for operations. The default is to use reader number 0, the first reader in the system.

Causes pkcs15-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Tells pkcs15-init to load the specified general profile. Currently, the only application profile defined is pkcs15, but you can write your own profiles and specify them using this option.

The profile name can be combined with one or more profile options, which slightly modify the profile's behavior. For instance, the default OpenSC profile supports the openpin option, which installs a single PIN during card initialization. This PIN is then used both as the SO PIN as well as the user PIN for all keys stored on the card.

Profile name and options are separated by a + character, as in pkcs15+onepin.

Tells pkcs15-init to load the specified card profile option. You will rarely need this option.

This tells pkcs15-init to create a PKCS #15 structure on the card, and initialize any PINs.

This will erase the card prior to creating the PKCS #15 structure, if the card supports it. If the card does not support erasing, pkcs15-init will fail.

Tells the card to generate new key and store it on the card. keyspec consists of an algorithm name (currently, the only supported name is RSA), optionally followed by a slash and the length of the key in bits. It is a good idea to specify the key ID along with this command, using the id option.

Tells pkcs15-init to download the specified private key to the card. This command will also create a public key object containing the public key portion. By default, the file is assumed to contain the key in PEM format. Alternative formats can be specified using --format. It is a good idea to specify the key ID along with this command, using the --id option.

Tells pkcs15-init to download the specified public key to the card and create a public key object with the key ID specified via the --id. By default, the file is assumed to contain the key in PEM format. Alternative formats can be specified using --format.

Tells pkcs15-init to store the certificate given in filename on the card, creating a certificate object with the ID specified via the --id option. The file is assumed to contain the DER encoded certificate.

These options can be used to specify PIN/PUK values on the command line. Note that on most operation systems, any user can display the command line of any process on the system using utilities such as ps(1). Therefore, you should use these options only on a secured system, or in an options file specified with --options-file.

When downloading a private key, this option can be used to specify the pass phrase to unlock the private key. The same caveat applies here as in the case of the --pin options.

Tells pkcs15-init to read additional options from filename. The file is supposed to contain one long option per line, without the leading dashes, for instance:

	pin		frank
	puk		zappa

You can specify --options-file several times.

Causes pkcs15-init to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

Display information about the card or token.

Format the card or token.

Specify the reader number number to use. The default is reader 0.

Use the card driver specified by name. The default is to auto-detect the correct card driver.

Causes cardos-info to wait for the token to be inserted into reader.

Causes cardos-info to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Verifies CHV1 before issuing commands

Lists all keys stored in a public key file

Creates new RSA key files for arg keys

Creates new PIN file for CHVid

Generate a new RSA key pair

Reads a public key from the card, allowing the user to extract and store or use the public key

Specifies the key number to operate on. The default is key number 1.

Specifies the DF to operate in

Specifies the private key file id, id, to use

Specifies the public key file id, id, to use

Specifies the RSA exponent, exp, to use in key generation. The default value is 3.

Specifies the modulus length to use in key generation. The default value is 1024.

Forces cryptoflex-tool to use reader number num for operations. The default is to use reader number 0, the first reader in the system.

Causes cryptoflex-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Displays a short help message.

Use smart card in specified reader. Default is reader 0.

Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity.

Specifies the current value of the global PIN.

Specifies the current value of the global PUK.

Specifies the current value of the local PIN0 (aka local PIN).

Specifies the current value of the local PIN1 (aka local PUK).

This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.

This changes the value of the specified pin to the given new value. You must specify either the current value of the pin or another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.

This command can be executed only if the global PIN of your card is in nullpin-state. There's no way to return back to nullpin-state once you have changed your global PIN. You don't need a pin to execute the nullpin-command. After a succesfull nullpin-command netkey-tool will display your cards initial PUK-value.

This command will read one of your cards certificates (as specified by number) and save this certificate into file filename in PEM-format. Certificates on a NetKey E4 card are readable without a pin, so you don't have to specify one.

This command will read the first PEM-encoded certificate from file filename and store this into your smart cards certificate file number. Some of your smart cards certificate files might be readonly, so this will not work with all values of number. If a certificate file is writable you must specify a pin in order to change it. If you try to use this command without specifying a pin, netkey-tool will tell you which one is needed.