← 返回命令列表

Linux command

pkcs11-tool 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

List available token slots

pkcs11-tool --list-token-slots

List objects on a token

pkcs11-tool --list-objects

List supported mechanisms

pkcs11-tool --list-mechanisms

Generate an RSA key pair

pkcs11-tool --login --keypairgen --key-type rsa:2048 --label [keyname]

Sign data with a key

pkcs11-tool --login --sign -m RSA-PKCS --id [key_id] --input [data] --output [signature]

Initialize a token

pkcs11-tool --init-token --label [label] --so-pin [so_pin]

Use a specific PKCS#11 library module

pkcs11-tool --module [/usr/lib/libpkcs11.so] --list-objects

说明

pkcs11-tool interacts with PKCS#11 cryptographic tokens such as smart cards, USB security keys, and hardware security modules (HSMs). It can list available slots and objects, generate key pairs, sign and verify data, and initialize tokens. Part of the OpenSC project, it communicates with tokens through PKCS#11 library modules. Different token types require their specific PKCS#11 library, specified with the --module option. Operations on private objects typically require PIN authentication.

参数

--list-token-slots
List available slots.
--list-objects
List objects on the token. Can filter with --label, --id, or --type.
--list-mechanisms
List mechanisms supported by the token.
--keypairgen
Generate a key pair on the token.
--sign
Sign data.
--verify
Verify signed data.
--init-token
Initialize a token.
--init-pin
Initialize the user PIN (first-time setup).
--change-pin
Change the user PIN.
--login, -l
Authenticate to the token before performing operations.
--pin _PIN_
Supply the PIN on the command line.
--so-pin _PIN_
Supply the Security Officer PIN (used for token initialization).
--key-type _spec_
Key type and length (e.g., rsa:2048, EC:prime256v1).
--id _ID_
Object ID (hex).
--label _LABEL_
Object label.
--slot _ID_
Specify the slot to use.
--module _LIB_
PKCS#11 library to load.
--help
Display help.

FAQ

What is the pkcs11-tool command used for?

pkcs11-tool interacts with PKCS#11 cryptographic tokens such as smart cards, USB security keys, and hardware security modules (HSMs). It can list available slots and objects, generate key pairs, sign and verify data, and initialize tokens. Part of the OpenSC project, it communicates with tokens through PKCS#11 library modules. Different token types require their specific PKCS#11 library, specified with the --module option. Operations on private objects typically require PIN authentication.

How do I run a basic pkcs11-tool example?

Run `pkcs11-tool --list-token-slots` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does --list-token-slots do in pkcs11-tool?

List available slots.