summaryrefslogtreecommitdiff
path: root/doc/man-sections/pkcs11-options.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man-sections/pkcs11-options.rst')
-rw-r--r--doc/man-sections/pkcs11-options.rst80
1 files changed, 80 insertions, 0 deletions
diff --git a/doc/man-sections/pkcs11-options.rst b/doc/man-sections/pkcs11-options.rst
new file mode 100644
index 0000000..c064aca
--- /dev/null
+++ b/doc/man-sections/pkcs11-options.rst
@@ -0,0 +1,80 @@
+PKCS#11 / SmartCard options
+---------------------------
+
+--pkcs11-cert-private args
+ Set if access to certificate object should be performed after login.
+ Every provider has its own setting.
+
+ Valid syntaxes:
+ ::
+
+ pkcs11-cert-private 0
+ pkcs11-cert-private 1
+
+--pkcs11-id name
+ Specify the serialized certificate id to be used. The id can be gotten
+ by the standalone ``--show-pkcs11-ids`` option.
+
+--pkcs11-id-management
+ Acquire PKCS#11 id from management interface. In this case a
+ :code:`NEED-STR 'pkcs11-id-request'` real-time message will be triggered,
+ application may use pkcs11-id-count command to retrieve available number of
+ certificates, and pkcs11-id-get command to retrieve certificate id and
+ certificate body.
+
+--pkcs11-pin-cache seconds
+ Specify how many seconds the PIN can be cached, the default is until the
+ token is removed.
+
+--pkcs11-private-mode mode
+ Specify which method to use in order to perform private key operations.
+ A different mode can be specified for each provider. Mode is encoded as
+ hex number, and can be a mask one of the following:
+
+ :code:`0` (default) Try to determine automatically.
+
+ :code:`1` Use sign.
+
+ :code:`2` Use sign recover.
+
+ :code:`4` Use decrypt.
+
+ :code:`8` Use unwrap.
+
+--pkcs11-protected-authentication args
+ Use PKCS#11 protected authentication path, useful for biometric and
+ external keypad devices. Every provider has its own setting.
+
+ Valid syntaxes:
+ ::
+
+ pkcs11-protected-authentication 0
+ pkcs11-protected-authentication 1
+
+--pkcs11-providers provider
+ Specify an RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ (Cryptoki) providers to load. This option can be used instead of
+ ``--cert``, ``--key`` and ``--pkcs12``.
+
+ If p11-kit is present on the system, its :code:`p11-kit-proxy.so` module
+ will be loaded by default if either the ``--pkcs11-id`` or
+ ``--pkcs11-id-management`` options are specified without
+ ``--pkcs11-provider`` being given.
+
+--show-pkcs11-ids args
+ (Standalone) Show PKCS#11 token object list.
+
+ Valid syntax:
+ ::
+
+ show-pkcs11 [provider] [cert_private]
+
+ Specify ``cert_private`` as :code:`1` if certificates are stored as
+ private objects.
+
+ If *p11-kit* is present on the system, the ``provider`` argument is
+ optional; if omitted the default :code:`p11-kit-proxy.so` module will be
+ queried.
+
+ ``--verb`` option can be used BEFORE this option to produce debugging
+ information.