Introduction
The YubiKey Manager CLI tool ykman can be used to configure all aspects of the YubiKey. This manual covers the options for each command as well as examples. Some operating systems such as Windows may not have the ykman in the environment variables please navigate to C:\Program Files\Yubico\Yubikey Manager\ to find the ykman for Windows.The YubiKey Manager CLI tool ykman can be used to configure all aspects of the YubiKey. This manual covers the options for each command as well as examples.
Commands
ykman
Usage:
ykman [OPTIONS] COMMAND [ARGS]...
Description:
Configure your YubiKey via the command line.
Examples:
List connected YubiKeys, only output serial number:
$ ykman list --serials
Show information about YubiKey with serial number 0123456:
$ ykman --device 0123456 info
Options:
-v, --version -d, --device SERIAL -l, --log-level [DEBUG|INFO|WARNING|ERROR|CRITICAL] Enable logging at given verbosity level. --log-file FILE Write logs to the given FILE instead of standard error; ignored unless --log-level is also set. -r, --reader NAME Use an external smart card reader. Conflicts with --device and list. -h, --help Show this message and exit.
ykman config
Usage:
ykman config [OPTIONS] COMMAND [ARGS]...
Description:
Enable/Disable applications.
The applications may be enabled and disabled independently over different
interfaces (USB and NFC). The configuration may also be protected by a
lock code.
Examples:
Disable PIV over the NFC interface:
$ ykman config nfc --disable PIV
Enable all applications over USB:
$ ykman config usb --enable-all
Generate and set a random application lock code:
$ ykman config set-lock-code --generate
Options:
-h, --help Show this message and exit.
ykman config nfc
Usage:
ykman config nfc [OPTIONS]
Description:
Enable or disable applications over NFC.
Options:
-f, --force Confirm the action without prompting. -e, --enable [OTP|U2F|OPGP|PIV|OATH|FIDO2] Enable applications. -d, --disable [OTP|U2F|OPGP|PIV|OATH|FIDO2] Disable applications. -a, --enable-all Enable all applications. -D, --disable-all Disable all applications -l, --list List enabled applications -L, --lock-code HEX Current application configuration lock code. -h, --help Show this message and exit.
ykman config set-lock-code
Usage:
ykman config set-lock-code [OPTIONS]
Description:
Set or change the configuration lock code.
A lock code may be used to protect the application configuration. The lock
code must be a 32 characters (16 bytes) hex value.
Options:
-f, --force Confirm the action without prompting. -l, --lock-code HEX Current lock code. -n, --new-lock-code HEX New lock code. Conflicts with --generate. -c, --clear Clear the lock code. -g, --generate Generate a random lock code. Conflicts with --new- lock-code. -h, --help Show this message and exit.
ykman config usb
Usage:
ykman config usb [OPTIONS]
Description:
Enable or disable applications over USB.
Options:
-f, --force Confirm the action without prompting. -e, --enable [OTP|U2F|OPGP|PIV|OATH|FIDO2] Enable applications. -d, --disable [OTP|U2F|OPGP|PIV|OATH|FIDO2] Disable applications. -l, --list List enabled applications. -a, --enable-all Enable all applications. -L, --lock-code HEX Current application configuration lock code. --touch-eject When set, the button toggles the state of the smartcard between ejected and inserted. (CCID only). --no-touch-eject Disable touch eject (CCID only). --autoeject-timeout SECONDS When set, the smartcard will automatically eject after the given time. Implies --touch- eject. --chalresp-timeout SECONDS Sets the timeout when waiting for touch for challenge-response in the OTP application. -h, --help Show this message and exit.
ykman fido
Usage:
ykman fido [OPTIONS] COMMAND [ARGS]...
Description:
Manage FIDO applications.
Examples:
Reset the FIDO (FIDO2 and U2F) applications:
$ ykman fido reset
Change the FIDO2 PIN from 123456 to 654321:
$ ykman fido set-pin --pin 123456 --new-pin 654321
Options:
-h, --help Show this message and exit.
ykman fido delete
Usage:
ykman fido delete [OPTIONS] QUERY
Description:
Delete a resident credential.
Options:
-P, --pin TEXT PIN code. -f, --force Confirm deletion without prompting -h, --help Show this message and exit.
Examples:
ykman fido info
Usage:
ykman fido info [OPTIONS]
Description:
Display status of FIDO2 application.
Options:
-h, --help Show this message and exit.
Examples:
ykman fido list
Usage:
ykman fido list [OPTIONS]
Description:
List resident credentials.
Options:
-P, --pin TEXT PIN code. -h, --help Show this message and exit.
Examples:
ykman fido reset
Usage:
ykman fido reset [OPTIONS]
Description:
Reset all FIDO applications.
This action will wipe all FIDO credentials, including FIDO U2F
credentials, on the YubiKey and remove the PIN code.
The reset must be triggered immediately after the YubiKey is inserted, and
requires a touch on the YubiKey.
Options:
-f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman fido set-pin
Usage:
ykman fido set-pin [OPTIONS]
Description:
Set or change the PIN code.
The FIDO2 PIN must be at least 4 characters long, and supports any type of
alphanumeric characters.
On YubiKey FIPS, a PIN can be set for FIDO U2F. That PIN must be at least
6 characters long.
Options:
-P, --pin TEXT Current PIN code. -n, --new-pin TEXT A new PIN. -u, --u2f Set FIDO U2F PIN instead of FIDO2 PIN. -h, --help Show this message and exit.
Examples:
ykman fido unlock
Usage:
ykman fido unlock [OPTIONS]
Description:
Verify U2F PIN for YubiKey FIPS.
Unlock the YubiKey FIPS and allow U2F registration.
Options:
-P, --pin TEXT Current PIN code. -h, --help Show this message and exit.
Examples:
ykman info
Usage:
ykman info [OPTIONS]
Description:
Show general information.
Displays information about the attached YubiKey such as serial number,
firmware version, applications, etc.
Options:
-c, --check-fips Check if YubiKey is in FIPS Approved mode. -h, --help Show this message and exit.
ykman list
Usage:
ykman list [OPTIONS]
Description:
List connected YubiKeys.
Options:
-s, --serials Output only serial numbers, one per line (devices without serial will be omitted). -r, --readers List available smart card readers. -h, --help Show this message and exit.
ykman mode
Usage:
ykman mode [OPTIONS] [MODE]
Description:
Manage connection modes (USB Interfaces).
Get the current connection mode of the YubiKey, or set it to MODE.
MODE can be a string, such as "OTP+FIDO+CCID", or a shortened form:
"o+f+c". It can also be a mode number.
Examples:
Set the OTP and FIDO mode:
$ ykman mode OTP+FIDO
Set the CCID only mode and use touch to eject the smart card:
$ ykman mode CCID --touch-eject
Options:
--touch-eject When set, the button toggles the state of the smartcard between ejected and inserted (CCID mode only). --autoeject-timeout SECONDS When set, the smartcard will automatically eject after the given time. Implies --touch- eject (CCID mode only). --chalresp-timeout SECONDS Sets the timeout when waiting for touch for challenge response. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
ykman oath
Usage:
ykman oath [OPTIONS] COMMAND [ARGS]...
Description:
Manage OATH Application.
Examples:
Generate codes for credentials starting with 'yubi':
$ ykman oath code yubi
Add a touch credential with the secret key f5up4ub3dw and the name yubico:
$ ykman oath add yubico f5up4ub3dw --touch
Set a password for the OATH application:
$ ykman oath set-password
Options:
-p, --password TEXT Provide a password to unlock the YubiKey. -h, --help Show this message and exit.
ykman oath add
Usage:
ykman oath add [OPTIONS] NAME [SECRET]
Description:
Add a new credential.
This will add a new credential to your YubiKey.
Options:
-o, --oath-type [HOTP|TOTP] Time-based (TOTP) or counter-based (HOTP) credential. [default: TOTP] -d, --digits [6|7|8] Number of digits in generated code. [default: 6] -a, --algorithm [SHA1|SHA256|SHA512] Algorithm to use for code generation. [default: SHA1] -c, --counter INTEGER Initial counter value for HOTP credentials. -i, --issuer TEXT Issuer of the credential. -p, --period INTEGER Number of seconds a TOTP code is valid. [default: 30] -t, --touch Require touch on YubiKey to generate code. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman oath code
Usage:
ykman oath code [OPTIONS] [QUERY]
Description:
Generate codes.
Generate codes from credentials stored on your YubiKey. Provide a query
string to match one or more specific credentials. Touch and HOTP
credentials require a single match to be triggered.
Options:
-H, --show-hidden Include hidden credentials. -s, --single Ensure only a single match, and output only the code. -h, --help Show this message and exit.
Examples:
ykman oath delete
Usage:
ykman oath delete [OPTIONS] QUERY
Description:
Delete a credential.
Delete a credential from your YubiKey. Provide a query string to match the
credential to delete.
Options:
-f, --force Confirm deletion without prompting -h, --help Show this message and exit.
Examples:
ykman oath info
Usage:
ykman oath info [OPTIONS]
Description:
Display status of OATH application.
Options:
-h, --help Show this message and exit.
Examples:
ykman oath list
Usage:
ykman oath list [OPTIONS]
Description:
List all credentials.
List all credentials stored on your YubiKey.
Options:
-H, --show-hidden Include hidden credentials. -o, --oath-type Display the OATH type. -p, --period Display the period. -h, --help Show this message and exit.
Examples:
ykman oath remember-password
Usage:
ykman oath remember-password [OPTIONS]
Description:
Manage local password storage.
Store your YubiKeys password on this computer to avoid having to enter it
on each use, or delete stored passwords.
Options:
-F, --forget Forget a password. -c, --clear-all Remove all stored passwords from this computer. -h, --help Show this message and exit.
Examples:
ykman oath reset
Usage:
ykman oath reset [OPTIONS]
Description:
Reset all OATH data.
This action will wipe all credentials and reset factory settings for the
OATH application on the YubiKey.
Options:
-f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman oath set-password
Usage:
ykman oath set-password [OPTIONS]
Description:
Password protect the OATH credentials.
Allows you to set a password that will be required to access the OATH
credentials stored on your YubiKey.
Options:
-c, --clear Clear the current password. -n, --new-password TEXT Provide a new password as an argument. -r, --remember Remember the new password on this machine. -h, --help Show this message and exit.
Examples:
ykman oath uri
Usage:
ykman oath uri [OPTIONS] [URI]
Description:
Add a new credential from URI.
Use a URI to add a new credential to your YubiKey.
Options:
-t, --touch Require touch on YubiKey to generate code. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman openpgp
Usage:
ykman openpgp [OPTIONS] COMMAND [ARGS]...
Description:
Manage OpenPGP Application.
Examples:
Set the retries for PIN, Reset Code and Admin PIN to 10:
$ ykman openpgp set-retries 10 10 10
Require touch to use the authentication key:
$ ykman openpgp set-touch aut on
Options:
-h, --help Show this message and exit.
ykman openpgp attest
Usage:
ykman openpgp attest [OPTIONS] KEY CERTIFICATE
Description:
Generate an attestation certificate for a key.
Attestation is used to show that an asymmetric key was generated on the
YubiKey and therefore doesn't exist outside the device.
KEY Key slot to attest (sig, enc, aut).
CERTIFICATE File to write attestation certificate to. Use '-' to use stdout.
Options:
-P, --pin TEXT PIN code. -F, --format [PEM|DER] Encoding format. [default: PEM] -h, --help Show this message and exit.
Examples:
ykman openpgp delete-certificate
Usage:
ykman openpgp delete-certificate [OPTIONS] KEY
Description:
Delete an OpenPGP certificate.
KEY Key slot to delete certificate from (sig, enc, aut, or att).
Options:
-a, --admin-pin TEXT Admin PIN for OpenPGP. -h, --help Show this message and exit.
Examples:
ykman openpgp export-certificate
Usage:
ykman openpgp export-certificate [OPTIONS] KEY CERTIFICATE
Description:
Export an OpenPGP certificate.
KEY Key slot to read from (sig, enc, aut, or att).
CERTIFICATE File to write certificate to. Use '-' to use stdout.
Options:
-F, --format [PEM|DER] Encoding format. [default: PEM] -h, --help Show this message and exit.
Examples:
ykman openpgp import-attestation-key
Usage:
ykman openpgp import-attestation-key [OPTIONS] PRIVATE-KEY
Description:
Import a private attestation key.
Import a private key for OpenPGP attestation.
PRIVATE-KEY File containing the private key. Use '-' to use stdin.
Options:
-a, --admin-pin TEXT Admin PIN for OpenPGP. -h, --help Show this message and exit.
Examples:
ykman openpgp import-certificate
Usage:
ykman openpgp import-certificate [OPTIONS] KEY CERTIFICATE
Description:
Import an OpenPGP certificate.
KEY Key slot to import certificate to (sig, enc, aut, or att).
CERTIFICATE File containing the certificate. Use '-' to use stdin.
Options:
-a, --admin-pin TEXT Admin PIN for OpenPGP. -h, --help Show this message and exit.
Examples:
ykman openpgp info
Usage:
ykman openpgp info [OPTIONS]
Description:
Display status of OpenPGP application.
Options:
-h, --help Show this message and exit.
Examples:
ykman openpgp reset
Usage:
ykman openpgp reset [OPTIONS]
Description:
Reset OpenPGP application.
This action will wipe all OpenPGP data, and set all PINs to their default
values.
Options:
-f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman openpgp set-pin-retries
Usage:
ykman openpgp set-pin-retries [OPTIONS] PIN-RETRIES RESET-CODE-RETRIES
Description:
ADMIN-PIN-RETRIES
Set PIN, Reset Code and Admin PIN retries.
Options:
-a, --admin-pin TEXT Admin PIN for OpenPGP. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman openpgp set-touch
Usage:
ykman openpgp set-touch [OPTIONS] KEY POLICY
Description:
Set touch policy for OpenPGP keys.
KEY Key slot to set (sig, enc, aut or att).
POLICY Touch policy to set (on, off, fixed, cached or cached-fixed).
Options:
-a, --admin-pin TEXT Admin PIN for OpenPGP. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman otp
Usage:
ykman otp [OPTIONS] COMMAND [ARGS]...
Description:
Manage OTP Application.
The YubiKey provides two keyboard-based slots which can each be configured
with a credential. Several credential types are supported.
A slot configuration may be write-protected with an access code. This
prevents the configuration to be overwritten without the access code
provided. Mode switching the YubiKey is not possible when a slot is
configured with an access code.
Examples:
Swap the configurations between the two slots:
$ ykman otp swap
Program a random challenge-response credential to slot 2:
$ ykman otp chalresp --generate 2
Program a Yubico OTP credential to slot 1, using the serial as public id:
$ ykman otp yubiotp 1 --serial-public-id
Program a random 38 characters long static password to slot 2:
$ ykman otp static --generate 2 --length 38
Options:
--access-code HEX A 6 byte access code. Set to empty to use a prompt for input. -h, --help Show this message and exit.
ykman otp calculate
Usage:
ykman otp calculate [OPTIONS] [1|2] [CHALLENGE]
Description:
Perform a challenge-response operation.
Send a challenge (in hex) to a YubiKey slot with a challenge-response
credential, and read the response. Supports output as a OATH-TOTP code.
Options:
-T, --totp Generate a TOTP code, use the current time as challenge. -d, --digits [6|8] Number of digits in generated TOTP code (default is 6). -h, --help Show this message and exit.
Examples:
ykman otp chalresp
Usage:
ykman otp chalresp [OPTIONS] [1|2] [KEY]
Description:
Program a challenge-response credential.
If KEY is not given, an interactive prompt will ask for it.
Options:
-t, --touch Require touch on YubiKey to generate response. -T, --totp Use a base32 encoded key for TOTP credentials. -g, --generate Generate a random secret key. Conflicts with KEY argument. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman otp delete
Usage:
ykman otp delete [OPTIONS] [1|2]
Description:
Deletes the configuration of a slot.
Options:
-f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman otp hotp
Usage:
ykman otp hotp [OPTIONS] [1|2] [KEY]
Description:
Program an HMAC-SHA1 OATH-HOTP credential.
Options:
-d, --digits [6|8] Number of digits in generated code (default is 6). -c, --counter INTEGER Initial counter value. --no-enter Don't send an Enter keystroke after outputting the code. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman otp info
Usage:
ykman otp info [OPTIONS]
Description:
Display status of YubiKey Slots.
Options:
-h, --help Show this message and exit.
Examples:
ykman otp ndef
Usage:
ykman otp ndef [OPTIONS] [1|2]
Description:
Select slot configuration to use for NDEF.
The default prefix will be used if no prefix is specified.
Options:
-p, --prefix TEXT Added before the NDEF payload. Typically a URI. -h, --help Show this message and exit.
Examples:
ykman otp settings
Usage:
ykman otp settings [OPTIONS] [1|2]
Description:
Update the settings for a slot.
Change the settings for a slot without changing the stored secret. All
settings not specified will be written with default values.
Options:
-f, --force Confirm the action without prompting. -A, --new-access-code HEX Set a new 6 byte access code for the slot. Set to empty to use a prompt for input. --delete-access-code Remove access code from the slot. --enter / --no-enter Should send 'Enter' keystroke after slot output. [default: True] -p, --pacing [0|20|40|60] Throttle output speed by adding a delay (in ms) between characters emitted. [default: 0] --use-numeric-keypad Use scancodes for numeric keypad when sending digits. Helps with some keyboard layouts. [default: False] -h, --help Show this message and exit.
Examples:
ykman otp static
Usage:
ykman otp static [OPTIONS] [1|2] [PASSWORD]
Description:
Configure a static password.
To avoid problems with different keyboard layouts, the following
characters are allowed by default: cbdefghijklnrtuv
Use the --keyboard-layout option to allow more characters based on
preferred keyboard layout.
Options:
-g, --generate Generate a random password. -l, --length INTEGER RANGE Length of generated password. -k, --keyboard-layout [MODHEX|US|DE|NORMAN] Keyboard layout to use for the static password. [default: MODHEX] --no-enter Don't send an Enter keystroke after outputting the password. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman otp swap
Usage:
ykman otp swap [OPTIONS]
Description:
Swaps the two slot configurations.
Options:
-f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman otp yubiotp
Usage:
ykman otp yubiotp [OPTIONS] [1|2]
Description:
Program a Yubico OTP credential.
Options:
-P, --public-id MODHEX Public identifier prefix. -p, --private-id HEX 6 byte private identifier. -k, --key HEX 16 byte secret key. --no-enter Don't send an Enter keystroke after emitting the OTP. -S, --serial-public-id Use YubiKey serial number as public ID. Conflicts with --public-id. -g, --generate-private-id Generate a random private ID. Conflicts with --private-id. -G, --generate-key Generate a random secret key. Conflicts with --key. -u, --upload Upload credential to YubiCloud (opens in browser). Conflicts with --force. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman piv
Usage:
ykman piv [OPTIONS] COMMAND [ARGS]...
Description:
Manage PIV Application.
Examples:
Generate an ECC P-256 private key and a self-signed certificate in
slot 9a:
$ ykman piv generate-key --algorithm ECCP256 9a pubkey.pem
$ ykman piv generate-certificate --subject "yubico" 9a pubkey.pem
Change the PIN from 123456 to 654321:
$ ykman piv change-pin --pin 123456 --new-pin 654321
Reset all PIV data and restore default settings:
$ ykman piv reset
Options:
-h, --help Show this message and exit.
ykman piv attest
Usage:
ykman piv attest [OPTIONS] SLOT CERTIFICATE
Description:
Generate an attestation certificate for a key.
Attestation is used to show that an asymmetric key was generated on the
YubiKey and therefore doesn't exist outside the device.
SLOT PIV slot with a private key to attest.
CERTIFICATE File to write attestation certificate to. Use '-' to use stdout.
Options:
-F, --format [PEM|DER] Encoding format. [default: PEM] -h, --help Show this message and exit.
Examples:
ykman piv change-management-key
Usage:
ykman piv change-management-key [OPTIONS]
Description:
Change the management key.
Management functionality is guarded by a 24 byte management key. This key
is required for administrative tasks, such as generating key pairs. A
random key may be generated and stored on the YubiKey, protected by PIN.
Options:
-P, --pin TEXT PIN code. -t, --touch Require touch on YubiKey when prompted for management key. -n, --new-management-key TEXT A new management key. -m, --management-key TEXT Current management key. -p, --protect Store new management key on your YubiKey, protected by PIN. A random key will be used if no key is provided. -g, --generate Generate a random management key. Implied by --protect unless --new-management-key is also given. Conflicts with --new-management-key. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman piv change-pin
Usage:
ykman piv change-pin [OPTIONS]
Description:
Change the PIN code.
The PIN must be between 6 and 8 characters long, and supports any type of
alphanumeric characters. For cross-platform compatibility, numeric digits
are recommended.
Options:
-P, --pin TEXT Current PIN code. -n, --new-pin TEXT A new PIN. -h, --help Show this message and exit.
Examples:
ykman piv change-puk
Usage:
ykman piv change-puk [OPTIONS]
Description:
Change the PUK code.
If the PIN is lost or blocked it can be reset using a PUK. The PUK must be
between 6 and 8 characters long, and supports any type of alphanumeric
characters.
Options:
-p, --puk TEXT Current PUK code. -n, --new-puk TEXT A new PUK code. -h, --help Show this message and exit.
Examples:
ykman piv delete-certificate
Usage:
ykman piv delete-certificate [OPTIONS] SLOT
Description:
Delete a certificate.
Delete a certificate from a slot on the YubiKey.
Options:
-m, --management-key TEXT The management key. -P, --pin TEXT PIN code. -h, --help Show this message and exit.
Examples:
ykman piv export-certificate
Usage:
ykman piv export-certificate [OPTIONS] SLOT CERTIFICATE
Description:
Export a X.509 certificate.
Reads a certificate from one of the slots on the YubiKey.
SLOT PIV slot to read certificate from.
CERTIFICATE File to write certificate to. Use '-' to use stdout.
Options:
-F, --format [PEM|DER] Encoding format. [default: PEM] -h, --help Show this message and exit.
Examples:
ykman piv generate-certificate
Usage:
ykman piv generate-certificate [OPTIONS] SLOT PUBLIC-KEY
Description:
Generate a self-signed X.509 certificate.
A self-signed certificate is generated and written to one of the slots on
the YubiKey. A private key need to exist in the slot.
SLOT PIV slot where private key is stored.
PUBLIC-KEY File containing a public key. Use '-' to use stdin.
Options:
-m, --management-key TEXT The management key. -P, --pin TEXT PIN code. -s, --subject TEXT Subject common name (CN) for the certificate. [required] -d, --valid-days INTEGER Number of days until the certificate expires. [default: 365] -h, --help Show this message and exit.
Examples:
ykman piv generate-csr
Usage:
ykman piv generate-csr [OPTIONS] SLOT PUBLIC-KEY CSR
Description:
Generate a Certificate Signing Request (CSR).
A private key need to exist in the slot.
SLOT PIV slot where the private key is stored.
PUBLIC-KEY File containing a public key. Use '-' to use stdin.
CSR File to write CSR to. Use '-' to use stdout.
Options:
-P, --pin TEXT PIN code. -s, --subject TEXT Subject common name (CN) for the requested certificate. [required] -h, --help Show this message and exit.
Examples:
ykman piv generate-key
Usage:
ykman piv generate-key [OPTIONS] SLOT PUBLIC-KEY
Description:
Generate an asymmetric key pair.
The private key is generated on the YubiKey, and written to one of the
slots.
SLOT PIV slot where private key should be stored.
PUBLIC-KEY File containing the generated public key. Use '-' to use stdout.
Options:
-m, --management-key TEXT The management key. -P, --pin TEXT PIN code. -a, --algorithm [TDES|RSA1024|RSA2048|ECCP256|ECCP384] Algorithm to use in key generation. [default: RSA2048] -F, --format [PEM|DER] Encoding format. [default: PEM] --pin-policy [DEFAULT|NEVER|ONCE|ALWAYS] PIN policy for slot. --touch-policy [DEFAULT|NEVER|ALWAYS|CACHED] Touch policy for slot. -h, --help Show this message and exit.
Examples:
ykman piv import-certificate
Usage:
ykman piv import-certificate [OPTIONS] SLOT CERTIFICATE
Description:
Import a X.509 certificate.
Write a certificate to one of the slots on the YubiKey.
SLOT PIV slot to import the certificate to.
CERTIFICATE File containing the certificate. Use '-' to use stdin.
Options:
-m, --management-key TEXT The management key. -P, --pin TEXT PIN code. -p, --password TEXT A password may be needed to decrypt the data. -v, --verify Verify that the certificate matches the private key in the slot. -h, --help Show this message and exit.
Examples:
ykman piv import-key
Usage:
ykman piv import-key [OPTIONS] SLOT PRIVATE-KEY
Description:
Import a private key.
Write a private key to one of the slots on the YubiKey.
SLOT PIV slot to import the private key to.
PRIVATE-KEY File containing the private key. Use '-' to use stdin.
Options:
-P, --pin TEXT PIN code. -m, --management-key TEXT The management key. --pin-policy [DEFAULT|NEVER|ONCE|ALWAYS] PIN policy for slot. --touch-policy [DEFAULT|NEVER|ALWAYS|CACHED] Touch policy for slot. -p, --password TEXT Password used to decrypt the private key. -h, --help Show this message and exit.
Examples:
ykman piv info
Usage:
ykman piv info [OPTIONS]
Description:
Display status of PIV application.
Options:
-h, --help Show this message and exit.
Examples:
ykman piv read-object
Usage:
ykman piv read-object [OPTIONS] OBJECT-ID
Description:
Read arbitrary PIV object.
Read PIV object by providing the object id.
OBJECT-ID Id of PIV object in HEX.
Options:
-P, --pin TEXT PIN code. -h, --help Show this message and exit.
Examples:
ykman piv reset
Usage:
ykman piv reset [OPTIONS]
Description:
Reset all PIV data.
This action will wipe all data and restore factory settings for the PIV
application on your YubiKey.
Options:
-f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman piv set-ccc
Usage:
ykman piv set-ccc [OPTIONS]
Description:
Generate and set a CCC on the YubiKey.
Options:
-P, --pin TEXT PIN code. -m, --management-key TEXT The management key. -h, --help Show this message and exit.
Examples:
ykman piv set-chuid
Usage:
ykman piv set-chuid [OPTIONS]
Description:
Generate and set a CHUID on the YubiKey.
Options:
-P, --pin TEXT PIN code. -m, --management-key TEXT The management key. -h, --help Show this message and exit.
Examples:
ykman piv set-pin-retries
Usage:
ykman piv set-pin-retries [OPTIONS] PIN-RETRIES PUK-RETRIES
Description:
Set the number of PIN and PUK retries. NOTE: This will reset the PIN and
PUK to their factory defaults.
Options:
-m, --management-key TEXT The management key. -P, --pin TEXT PIN code. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
Examples:
ykman piv unblock-pin
Usage:
ykman piv unblock-pin [OPTIONS]
Description:
Unblock the PIN.
Reset the PIN using the PUK code.
Options:
-p, --puk TEXT -n, --new-pin NEW-PIN -h, --help Show this message and exit.
Examples:
ykman piv write-object
Usage:
ykman piv write-object [OPTIONS] OBJECT-ID DATA
Description:
Write an arbitrary PIV object.
Write a PIV object by providing the object id. Yubico writable PIV objects
are available in the range 5f0000 - 5fffff.
OBJECT-ID Id of PIV object in HEX.
DATA File containing the data to be written. Use '-' to use stdin.
Options:
-P, --pin TEXT PIN code. -m, --management-key TEXT The management key. -h, --help Show this message and exit.
Examples: