YubiKey Manager CLI (ykman) User Manual

Introduction

The YubiKey Manager CLI tool ykman can be used to configure all aspects of the YubiKey. This manual covers the options for each command as well as examples. Some operating systems such as Windows may not have the ykman in the environment variables please navigate to  C:\Program Files\Yubico\Yubikey Manager\ to find the ykman for Windows.The YubiKey Manager CLI tool ykman can be used to configure all aspects of the YubiKey. This manual covers the options for each command as well as examples.

Commands

ykman

Usage:

 ykman [OPTIONS] COMMAND [ARGS]...

Description:

Configure your YubiKey via the command line.

Examples:

List connected YubiKeys, only output serial number:

$ ykman list --serials

Show information about YubiKey with serial number 0123456:

$ ykman --device 0123456 info

Options:

-v, --version
-d, --device SERIAL
-l, --log-level [DEBUG|INFO|WARNING|ERROR|CRITICAL]
Enable logging at given verbosity level.
--log-file FILE                 Write logs to the given FILE instead of
standard error; ignored unless --log-level
is also set.
-r, --reader NAME               Use an external smart card reader. Conflicts
with --device and list.
-h, --help                      Show this message and exit.

 

ykman config

Usage:

 ykman config [OPTIONS] COMMAND [ARGS]...

Description:

Enable/Disable applications.

The applications may be enabled and disabled independently over different

interfaces (USB and NFC). The configuration may also be protected by a

lock code.

Examples:

Disable PIV over the NFC interface:

$ ykman config nfc --disable PIV

Enable all applications over USB:

$ ykman config usb --enable-all

Generate and set a random application lock code:

$ ykman config set-lock-code --generate

Options:

-h, --help  Show this message and exit.

ykman config nfc

Usage:

 ykman config nfc [OPTIONS]

Description:

Enable or disable applications over NFC.

Options:

-f, --force                     Confirm the action without prompting.
-e, --enable [OTP|U2F|OPGP|PIV|OATH|FIDO2]
Enable applications.
-d, --disable [OTP|U2F|OPGP|PIV|OATH|FIDO2]
Disable applications.
-a, --enable-all                Enable all applications.
-D, --disable-all               Disable all applications
-l, --list                      List enabled applications
-L, --lock-code HEX             Current application configuration lock code.
-h, --help                      Show this message and exit.

 

ykman config set-lock-code

Usage:

 ykman config set-lock-code [OPTIONS]

Description:

Set or change the configuration lock code.

A lock code may be used to protect the application configuration. The lock

code must be a 32 characters (16 bytes) hex value.

Options:

-f, --force              Confirm the action without prompting.
-l, --lock-code HEX      Current lock code.
-n, --new-lock-code HEX  New lock code. Conflicts with --generate.
-c, --clear              Clear the lock code.
-g, --generate           Generate a random lock code. Conflicts with --new-
lock-code.
-h, --help               Show this message and exit.

 

ykman config usb

Usage:

 ykman config usb [OPTIONS]

Description:

Enable or disable applications over USB.

Options:

-f, --force                     Confirm the action without prompting.
-e, --enable [OTP|U2F|OPGP|PIV|OATH|FIDO2]
Enable applications.
-d, --disable [OTP|U2F|OPGP|PIV|OATH|FIDO2]
Disable applications.
-l, --list                      List enabled applications.
-a, --enable-all                Enable all applications.
-L, --lock-code HEX             Current application configuration lock code.
--touch-eject                   When set, the button toggles the state of
the smartcard between ejected and inserted.
(CCID only).
--no-touch-eject                Disable touch eject (CCID only).
--autoeject-timeout SECONDS     When set, the smartcard will automatically
eject after the given time. Implies --touch-
eject.
--chalresp-timeout SECONDS      Sets the timeout when waiting for touch for
challenge-response in the OTP application.
-h, --help                      Show this message and exit.

 

ykman fido

Usage:

 ykman fido [OPTIONS] COMMAND [ARGS]...

Description:

Manage FIDO applications.

Examples:

Reset the FIDO (FIDO2 and U2F) applications:

$ ykman fido reset

Change the FIDO2 PIN from 123456 to 654321:

$ ykman fido set-pin --pin 123456 --new-pin 654321

Options:

-h, --help  Show this message and exit.

ykman fido delete

Usage:

 ykman fido delete [OPTIONS] QUERY

Description:

Delete a resident credential.

Options:

-P, --pin TEXT  PIN code.
-f, --force     Confirm deletion without prompting
-h, --help      Show this message and exit.

Examples:

ykman fido info

Usage:

 ykman fido info [OPTIONS]

Description:

Display status of FIDO2 application.

Options:

-h, --help  Show this message and exit.

Examples:

ykman fido list

Usage:

 ykman fido list [OPTIONS]

Description:

List resident credentials.

Options:

-P, --pin TEXT  PIN code.
-h, --help      Show this message and exit.

Examples:

ykman fido reset

Usage:

 ykman fido reset [OPTIONS]

Description:

Reset all FIDO applications.

This action will wipe all FIDO credentials, including FIDO U2F

credentials, on the YubiKey and remove the PIN code.

The reset must be triggered immediately after the YubiKey is inserted, and

requires a touch on the YubiKey.

Options:

-f, --force  Confirm the action without prompting.
-h, --help   Show this message and exit.

Examples:

ykman fido set-pin

Usage:

 ykman fido set-pin [OPTIONS]

Description:

Set or change the PIN code.

The FIDO2 PIN must be at least 4 characters long, and supports any type of

alphanumeric characters.

On YubiKey FIPS, a PIN can be set for FIDO U2F. That PIN must be at least

6 characters long.

Options:

-P, --pin TEXT      Current PIN code.
-n, --new-pin TEXT  A new PIN.
-u, --u2f           Set FIDO U2F PIN instead of FIDO2 PIN.
-h, --help          Show this message and exit.

Examples:

ykman fido unlock

Usage:

 ykman fido unlock [OPTIONS]

Description:

Verify U2F PIN for YubiKey FIPS.

Unlock the YubiKey FIPS and allow U2F registration.

Options:

-P, --pin TEXT  Current PIN code.
-h, --help      Show this message and exit.

Examples:

ykman info

Usage:

 ykman info [OPTIONS]

Description:

Show general information.

Displays information about the attached YubiKey such as serial number,

firmware version, applications, etc.

Options:

-c, --check-fips  Check if YubiKey is in FIPS Approved mode.
-h, --help        Show this message and exit.

ykman list

Usage:

 ykman list [OPTIONS]

Description:

List connected YubiKeys.

Options:

-s, --serials  Output only serial numbers, one per line (devices without
serial will be omitted).
-r, --readers  List available smart card readers.
-h, --help     Show this message and exit.

ykman mode

Usage:

 ykman mode [OPTIONS] [MODE]

Description:

Manage connection modes (USB Interfaces).

Get the current connection mode of the YubiKey, or set it to MODE.

MODE can be a string, such as "OTP+FIDO+CCID", or a shortened form:

"o+f+c". It can also be a mode number.

Examples:

Set the OTP and FIDO mode:

$ ykman mode OTP+FIDO

Set the CCID only mode and use touch to eject the smart card:

$ ykman mode CCID --touch-eject

Options:

--touch-eject                When set, the button toggles the state of the
smartcard between ejected and inserted (CCID
mode only).
--autoeject-timeout SECONDS  When set, the smartcard will automatically
eject after the given time. Implies --touch-
eject (CCID mode only).
--chalresp-timeout SECONDS   Sets the timeout when waiting for touch for
challenge response.
-f, --force                  Confirm the action without prompting.
-h, --help                   Show this message and exit.

ykman oath

Usage:

 ykman oath [OPTIONS] COMMAND [ARGS]...

Description:

Manage OATH Application.

Examples:

Generate codes for credentials starting with 'yubi':

$ ykman oath code yubi

Add a touch credential with the secret key f5up4ub3dw and the name yubico:

$ ykman oath add yubico f5up4ub3dw --touch

Set a password for the OATH application:

$ ykman oath set-password

Options:

-p, --password TEXT  Provide a password to unlock the YubiKey.
-h, --help           Show this message and exit.

ykman oath add

Usage:

 ykman oath add [OPTIONS] NAME [SECRET]

Description:

Add a new credential.

This will add a new credential to your YubiKey.

Options:

-o, --oath-type [HOTP|TOTP]     Time-based (TOTP) or counter-based (HOTP)
credential.  [default: TOTP]
-d, --digits [6|7|8]            Number of digits in generated code.
[default: 6]
-a, --algorithm [SHA1|SHA256|SHA512]
Algorithm to use for code generation.
[default: SHA1]
-c, --counter INTEGER           Initial counter value for HOTP credentials.
-i, --issuer TEXT               Issuer of the credential.
-p, --period INTEGER            Number of seconds a TOTP code is valid.
[default: 30]
-t, --touch                     Require touch on YubiKey to generate code.
-f, --force                     Confirm the action without prompting.
-h, --help                      Show this message and exit.

Examples:

ykman oath code

Usage:

 ykman oath code [OPTIONS] [QUERY]

Description:

Generate codes.

Generate codes from credentials stored on your YubiKey. Provide a query

string to match one or more specific credentials. Touch and HOTP

credentials require a single match to be triggered.

Options:

-H, --show-hidden  Include hidden credentials.
-s, --single       Ensure only a single match, and output only the code.
-h, --help         Show this message and exit.

Examples:

ykman oath delete

Usage:

 ykman oath delete [OPTIONS] QUERY

Description:

Delete a credential.

Delete a credential from your YubiKey. Provide a query string to match the

credential to delete.

Options:

-f, --force  Confirm deletion without prompting
-h, --help   Show this message and exit.

Examples:

ykman oath info

Usage:

 ykman oath info [OPTIONS]

Description:

Display status of OATH application.

Options:

-h, --help  Show this message and exit.

Examples:

ykman oath list

Usage:

 ykman oath list [OPTIONS]

Description:

List all credentials.

List all credentials stored on your YubiKey.

Options:

-H, --show-hidden  Include hidden credentials.
-o, --oath-type    Display the OATH type.
-p, --period       Display the period.
-h, --help         Show this message and exit.

Examples:

ykman oath remember-password

Usage:

 ykman oath remember-password [OPTIONS]

Description:

Manage local password storage.

Store your YubiKeys password on this computer to avoid having to enter it

on each use, or delete stored passwords.

Options:

-F, --forget     Forget a password.
-c, --clear-all  Remove all stored passwords from this computer.
-h, --help       Show this message and exit.

Examples:

ykman oath reset

Usage:

 ykman oath reset [OPTIONS]

Description:

Reset all OATH data.

This action will wipe all credentials and reset factory settings for the

OATH application on the YubiKey.

Options:

-f, --force  Confirm the action without prompting.
-h, --help   Show this message and exit.

Examples:

ykman oath set-password

Usage:

 ykman oath set-password [OPTIONS]

Description:

Password protect the OATH credentials.

Allows you to set a password that will be required to access the OATH

credentials stored on your YubiKey.

Options:

-c, --clear              Clear the current password.
-n, --new-password TEXT  Provide a new password as an argument.
-r, --remember           Remember the new password on this machine.
-h, --help               Show this message and exit.

Examples:

ykman oath uri

Usage:

 ykman oath uri [OPTIONS] [URI]

Description:

Add a new credential from URI.

Use a URI to add a new credential to your YubiKey.

Options:

-t, --touch  Require touch on YubiKey to generate code.
-f, --force  Confirm the action without prompting.
-h, --help   Show this message and exit.

Examples:

ykman openpgp

Usage:

 ykman openpgp [OPTIONS] COMMAND [ARGS]...

Description:

Manage OpenPGP Application.

Examples:

Set the retries for PIN, Reset Code and Admin PIN to 10:

$ ykman openpgp set-retries 10 10 10

Require touch to use the authentication key:

$ ykman openpgp set-touch aut on

Options:

-h, --help  Show this message and exit.

ykman openpgp attest

Usage:

 ykman openpgp attest [OPTIONS] KEY CERTIFICATE

Description:

Generate an attestation certificate for a key.

Attestation is used to show that an asymmetric key was generated on the

YubiKey and therefore doesn't exist outside the device.

KEY Key slot to attest (sig, enc, aut).

CERTIFICATE File to write attestation certificate to. Use '-' to use stdout.

Options:

-P, --pin TEXT          PIN code.
-F, --format [PEM|DER]  Encoding format.  [default: PEM]
-h, --help              Show this message and exit.

Examples:

ykman openpgp delete-certificate

Usage:

 ykman openpgp delete-certificate [OPTIONS] KEY

Description:

Delete an OpenPGP certificate.

KEY Key slot to delete certificate from (sig, enc, aut, or att).

Options:

-a, --admin-pin TEXT  Admin PIN for OpenPGP.
-h, --help            Show this message and exit.

Examples:

ykman openpgp export-certificate

Usage:

 ykman openpgp export-certificate [OPTIONS] KEY CERTIFICATE

Description:

Export an OpenPGP certificate.

KEY Key slot to read from (sig, enc, aut, or att).

CERTIFICATE File to write certificate to. Use '-' to use stdout.

Options:

-F, --format [PEM|DER]  Encoding format.  [default: PEM]
-h, --help              Show this message and exit.

Examples:

ykman openpgp import-attestation-key

Usage:

 ykman openpgp import-attestation-key [OPTIONS] PRIVATE-KEY

Description:

Import a private attestation key.

Import a private key for OpenPGP attestation.

PRIVATE-KEY File containing the private key. Use '-' to use stdin.

Options:

-a, --admin-pin TEXT  Admin PIN for OpenPGP.
-h, --help            Show this message and exit.

Examples:

ykman openpgp import-certificate

Usage:

 ykman openpgp import-certificate [OPTIONS] KEY CERTIFICATE

Description:

Import an OpenPGP certificate.

KEY Key slot to import certificate to (sig, enc, aut, or att).

CERTIFICATE File containing the certificate. Use '-' to use stdin.

Options:

-a, --admin-pin TEXT  Admin PIN for OpenPGP.
-h, --help            Show this message and exit.

Examples:

ykman openpgp info

Usage:

 ykman openpgp info [OPTIONS]

Description:

Display status of OpenPGP application.

Options:

-h, --help  Show this message and exit.

Examples:

ykman openpgp reset

Usage:

 ykman openpgp reset [OPTIONS]

Description:

Reset OpenPGP application.

This action will wipe all OpenPGP data, and set all PINs to their default

values.

Options:

-f, --force  Confirm the action without prompting.
-h, --help   Show this message and exit.

Examples:

ykman openpgp set-pin-retries

Usage:

 ykman openpgp set-pin-retries [OPTIONS] PIN-RETRIES RESET-CODE-RETRIES

Description:

ADMIN-PIN-RETRIES

Set PIN, Reset Code and Admin PIN retries.

Options:

-a, --admin-pin TEXT  Admin PIN for OpenPGP.
-f, --force           Confirm the action without prompting.
-h, --help            Show this message and exit.

Examples:

ykman openpgp set-touch

Usage:

 ykman openpgp set-touch [OPTIONS] KEY POLICY

Description:

Set touch policy for OpenPGP keys.

KEY Key slot to set (sig, enc, aut or att).

POLICY Touch policy to set (on, off, fixed, cached or cached-fixed).

Options:

-a, --admin-pin TEXT  Admin PIN for OpenPGP.
-f, --force           Confirm the action without prompting.
-h, --help            Show this message and exit.

Examples:

ykman otp

Usage:

 ykman otp [OPTIONS] COMMAND [ARGS]...

Description:

Manage OTP Application.

The YubiKey provides two keyboard-based slots which can each be configured

with a credential. Several credential types are supported.

A slot configuration may be write-protected with an access code. This

prevents the configuration to be overwritten without the access code

provided. Mode switching the YubiKey is not possible when a slot is

configured with an access code.

Examples:

Swap the configurations between the two slots:

$ ykman otp swap

Program a random challenge-response credential to slot 2:

$ ykman otp chalresp --generate 2

Program a Yubico OTP credential to slot 1, using the serial as public id:

$ ykman otp yubiotp 1 --serial-public-id

Program a random 38 characters long static password to slot 2:

$ ykman otp static --generate 2 --length 38

Options:

--access-code HEX  A 6 byte access code. Set to empty to use a prompt for
input.
-h, --help         Show this message and exit.

ykman otp calculate

Usage:

 ykman otp calculate [OPTIONS] [1|2] [CHALLENGE]

Description:

Perform a challenge-response operation.

Send a challenge (in hex) to a YubiKey slot with a challenge-response

credential, and read the response. Supports output as a OATH-TOTP code.

Options:

-T, --totp          Generate a TOTP code, use the current time as challenge.
-d, --digits [6|8]  Number of digits in generated TOTP code (default is 6).
-h, --help          Show this message and exit.

Examples:

ykman otp chalresp

Usage:

 ykman otp chalresp [OPTIONS] [1|2] [KEY]

Description:

Program a challenge-response credential.

If KEY is not given, an interactive prompt will ask for it.

Options:

-t, --touch     Require touch on YubiKey to generate response.
-T, --totp      Use a base32 encoded key for TOTP credentials.
-g, --generate  Generate a random secret key. Conflicts with KEY argument.
-f, --force     Confirm the action without prompting.
-h, --help      Show this message and exit.

Examples:

ykman otp delete

Usage:

 ykman otp delete [OPTIONS] [1|2]

Description:

Deletes the configuration of a slot.

Options:

-f, --force  Confirm the action without prompting.
-h, --help   Show this message and exit.

Examples:

ykman otp hotp

Usage:

 ykman otp hotp [OPTIONS] [1|2] [KEY]

Description:

Program an HMAC-SHA1 OATH-HOTP credential.

Options:

-d, --digits [6|8]     Number of digits in generated code (default is 6).
-c, --counter INTEGER  Initial counter value.
--no-enter             Don't send an Enter keystroke after outputting the
code.
-f, --force            Confirm the action without prompting.
-h, --help             Show this message and exit.

Examples:

ykman otp info

Usage:

 ykman otp info [OPTIONS]

Description:

Display status of YubiKey Slots.

Options:

-h, --help  Show this message and exit.

Examples:

ykman otp ndef

Usage:

 ykman otp ndef [OPTIONS] [1|2]

Description:

Select slot configuration to use for NDEF.

The default prefix will be used if no prefix is specified.

Options:

-p, --prefix TEXT  Added before the NDEF payload. Typically a URI.
-h, --help         Show this message and exit.

Examples:

ykman otp settings

Usage:

 ykman otp settings [OPTIONS] [1|2]

Description:

Update the settings for a slot.

Change the settings for a slot without changing the stored secret. All

settings not specified will be written with default values.

Options:

-f, --force                Confirm the action without prompting.
-A, --new-access-code HEX  Set a new 6 byte access code for the slot. Set to
empty to use a prompt for input.
--delete-access-code       Remove access code from the slot.
--enter / --no-enter       Should send 'Enter' keystroke after slot output.
[default: True]
-p, --pacing [0|20|40|60]  Throttle output speed by adding a delay (in ms)
between characters emitted.  [default: 0]
--use-numeric-keypad       Use scancodes for numeric keypad when sending
digits. Helps with some keyboard layouts.
[default: False]
-h, --help                 Show this message and exit.

Examples:

ykman otp static

Usage:

 ykman otp static [OPTIONS] [1|2] [PASSWORD]

Description:

Configure a static password.

To avoid problems with different keyboard layouts, the following

characters are allowed by default: cbdefghijklnrtuv

Use the --keyboard-layout option to allow more characters based on

preferred keyboard layout.

Options:

-g, --generate                  Generate a random password.
-l, --length INTEGER RANGE      Length of generated password.
-k, --keyboard-layout [MODHEX|US|DE|NORMAN]
Keyboard layout to use for the static
password.  [default: MODHEX]
--no-enter                      Don't send an Enter keystroke after
outputting the password.
-f, --force                     Confirm the action without prompting.
-h, --help                      Show this message and exit.

Examples:

ykman otp swap

Usage:

 ykman otp swap [OPTIONS]

Description:

Swaps the two slot configurations.

Options:

-f, --force  Confirm the action without prompting.
-h, --help   Show this message and exit.

Examples:

ykman otp yubiotp

Usage:

 ykman otp yubiotp [OPTIONS] [1|2]

Description:

Program a Yubico OTP credential.

Options:

-P, --public-id MODHEX     Public identifier prefix.
-p, --private-id HEX       6 byte private identifier.
-k, --key HEX              16 byte secret key.
--no-enter                 Don't send an Enter keystroke after emitting the
OTP.
-S, --serial-public-id     Use YubiKey serial number as public ID. Conflicts
with --public-id.
-g, --generate-private-id  Generate a random private ID. Conflicts with
--private-id.
-G, --generate-key         Generate a random secret key. Conflicts with
--key.
-u, --upload               Upload credential to YubiCloud (opens in
browser). Conflicts with --force.
-f, --force                Confirm the action without prompting.
-h, --help                 Show this message and exit.

Examples:

ykman piv

Usage:

 ykman piv [OPTIONS] COMMAND [ARGS]...

Description:

Manage PIV Application.

Examples:

Generate an ECC P-256 private key and a self-signed certificate in

slot 9a:

$ ykman piv generate-key --algorithm ECCP256 9a pubkey.pem

$ ykman piv generate-certificate --subject "yubico" 9a pubkey.pem


Change the PIN from 123456 to 654321:

$ ykman piv change-pin --pin 123456 --new-pin 654321

Reset all PIV data and restore default settings:

$ ykman piv reset

Options:

-h, --help  Show this message and exit.

ykman piv attest

Usage:

 ykman piv attest [OPTIONS] SLOT CERTIFICATE

Description:

Generate an attestation certificate for a key.

Attestation is used to show that an asymmetric key was generated on the

YubiKey and therefore doesn't exist outside the device.

SLOT PIV slot with a private key to attest.

CERTIFICATE File to write attestation certificate to. Use '-' to use stdout.

Options:

-F, --format [PEM|DER]  Encoding format.  [default: PEM]
-h, --help              Show this message and exit.

Examples:

ykman piv change-management-key

Usage:

 ykman piv change-management-key [OPTIONS]

Description:

Change the management key.

Management functionality is guarded by a 24 byte management key. This key

is required for administrative tasks, such as generating key pairs. A

random key may be generated and stored on the YubiKey, protected by PIN.

Options:

-P, --pin TEXT                 PIN code.
-t, --touch                    Require touch on YubiKey when prompted for
management key.
-n, --new-management-key TEXT  A new management key.
-m, --management-key TEXT      Current management key.
-p, --protect                  Store new management key on your YubiKey,
protected by PIN. A random key will be used
if no key is provided.
-g, --generate                 Generate a random management key. Implied by
--protect unless --new-management-key is also
given. Conflicts with --new-management-key.
-f, --force                    Confirm the action without prompting.
-h, --help                     Show this message and exit.

Examples:

ykman piv change-pin

Usage:

 ykman piv change-pin [OPTIONS]

Description:

Change the PIN code.

The PIN must be between 6 and 8 characters long, and supports any type of

alphanumeric characters. For cross-platform compatibility, numeric digits

are recommended.

Options:

-P, --pin TEXT      Current PIN code.
-n, --new-pin TEXT  A new PIN.
-h, --help          Show this message and exit.

Examples:

ykman piv change-puk

Usage:

 ykman piv change-puk [OPTIONS]

Description:

Change the PUK code.

If the PIN is lost or blocked it can be reset using a PUK. The PUK must be

between 6 and 8 characters long, and supports any type of alphanumeric

characters.

Options:

-p, --puk TEXT      Current PUK code.
-n, --new-puk TEXT  A new PUK code.
-h, --help          Show this message and exit.

Examples:

ykman piv delete-certificate

Usage:

 ykman piv delete-certificate [OPTIONS] SLOT

Description:

Delete a certificate.

Delete a certificate from a slot on the YubiKey.

Options:

-m, --management-key TEXT  The management key.
-P, --pin TEXT             PIN code.
-h, --help                 Show this message and exit.

Examples:

ykman piv export-certificate

Usage:

 ykman piv export-certificate [OPTIONS] SLOT CERTIFICATE

Description:

Export a X.509 certificate.

Reads a certificate from one of the slots on the YubiKey.

SLOT PIV slot to read certificate from.

CERTIFICATE File to write certificate to. Use '-' to use stdout.

Options:

-F, --format [PEM|DER]  Encoding format.  [default: PEM]
-h, --help              Show this message and exit.

Examples:

ykman piv generate-certificate

Usage:

 ykman piv generate-certificate [OPTIONS] SLOT PUBLIC-KEY

Description:

Generate a self-signed X.509 certificate.

A self-signed certificate is generated and written to one of the slots on

the YubiKey. A private key need to exist in the slot.

SLOT PIV slot where private key is stored.

PUBLIC-KEY File containing a public key. Use '-' to use stdin.

Options:

-m, --management-key TEXT  The management key.
-P, --pin TEXT             PIN code.
-s, --subject TEXT         Subject common name (CN) for the certificate.
[required]
-d, --valid-days INTEGER   Number of days until the certificate expires.
[default: 365]
-h, --help                 Show this message and exit.

Examples:

ykman piv generate-csr

Usage:

 ykman piv generate-csr [OPTIONS] SLOT PUBLIC-KEY CSR

Description:

Generate a Certificate Signing Request (CSR).

A private key need to exist in the slot.

SLOT PIV slot where the private key is stored.

PUBLIC-KEY File containing a public key. Use '-' to use stdin.

CSR File to write CSR to. Use '-' to use stdout.

Options:

-P, --pin TEXT      PIN code.
-s, --subject TEXT  Subject common name (CN) for the requested certificate.
[required]
-h, --help          Show this message and exit.

Examples:

ykman piv generate-key

Usage:

 ykman piv generate-key [OPTIONS] SLOT PUBLIC-KEY

Description:

Generate an asymmetric key pair.

The private key is generated on the YubiKey, and written to one of the

slots.

SLOT PIV slot where private key should be stored.

PUBLIC-KEY File containing the generated public key. Use '-' to use stdout.

Options:

-m, --management-key TEXT       The management key.
-P, --pin TEXT                  PIN code.
-a, --algorithm [TDES|RSA1024|RSA2048|ECCP256|ECCP384]
Algorithm to use in key generation.
[default: RSA2048]
-F, --format [PEM|DER]          Encoding format.  [default: PEM]
--pin-policy [DEFAULT|NEVER|ONCE|ALWAYS]
PIN policy for slot.
--touch-policy [DEFAULT|NEVER|ALWAYS|CACHED]
Touch policy for slot.
-h, --help                      Show this message and exit.

Examples:

ykman piv import-certificate

Usage:

 ykman piv import-certificate [OPTIONS] SLOT CERTIFICATE

Description:

Import a X.509 certificate.

Write a certificate to one of the slots on the YubiKey.

SLOT PIV slot to import the certificate to.

CERTIFICATE File containing the certificate. Use '-' to use stdin.

Options:

-m, --management-key TEXT  The management key.
-P, --pin TEXT             PIN code.
-p, --password TEXT        A password may be needed to decrypt the data.
-v, --verify               Verify that the certificate matches the private
key in the slot.
-h, --help                 Show this message and exit.

Examples:

ykman piv import-key

Usage:

 ykman piv import-key [OPTIONS] SLOT PRIVATE-KEY

Description:

Import a private key.

Write a private key to one of the slots on the YubiKey.

SLOT PIV slot to import the private key to.

PRIVATE-KEY File containing the private key. Use '-' to use stdin.

Options:

-P, --pin TEXT                  PIN code.
-m, --management-key TEXT       The management key.
--pin-policy [DEFAULT|NEVER|ONCE|ALWAYS]
PIN policy for slot.
--touch-policy [DEFAULT|NEVER|ALWAYS|CACHED]
Touch policy for slot.
-p, --password TEXT             Password used to decrypt the private key.
-h, --help                      Show this message and exit.

Examples:

ykman piv info

Usage:

 ykman piv info [OPTIONS]

Description:

Display status of PIV application.


Options:

-h, --help  Show this message and exit.

Examples:

ykman piv read-object

Usage:

 ykman piv read-object [OPTIONS] OBJECT-ID

Description:

Read arbitrary PIV object.

Read PIV object by providing the object id.

OBJECT-ID Id of PIV object in HEX.

Options:

-P, --pin TEXT  PIN code.
-h, --help      Show this message and exit.

Examples:

ykman piv reset

Usage:

 ykman piv reset [OPTIONS]

Description:

Reset all PIV data.

This action will wipe all data and restore factory settings for the PIV

application on your YubiKey.

Options:

-f, --force  Confirm the action without prompting.
-h, --help   Show this message and exit.

Examples:

ykman piv set-ccc

Usage:

 ykman piv set-ccc [OPTIONS]

Description:

Generate and set a CCC on the YubiKey.

Options:

-P, --pin TEXT             PIN code.
-m, --management-key TEXT  The management key.
-h, --help                 Show this message and exit.

Examples:

ykman piv set-chuid

Usage:

 ykman piv set-chuid [OPTIONS]

Description:

Generate and set a CHUID on the YubiKey.

Options:

-P, --pin TEXT             PIN code.
-m, --management-key TEXT  The management key.
-h, --help                 Show this message and exit.

Examples:

ykman piv set-pin-retries

Usage:

 ykman piv set-pin-retries [OPTIONS] PIN-RETRIES PUK-RETRIES

Description:

Set the number of PIN and PUK retries. NOTE: This will reset the PIN and

PUK to their factory defaults.

Options:

-m, --management-key TEXT  The management key.
-P, --pin TEXT             PIN code.
-f, --force                Confirm the action without prompting.
-h, --help                 Show this message and exit.

Examples:

ykman piv unblock-pin

Usage:

 ykman piv unblock-pin [OPTIONS]

Description:

Unblock the PIN.

Reset the PIN using the PUK code.

Options:

-p, --puk TEXT
-n, --new-pin NEW-PIN
-h, --help             Show this message and exit.

Examples:

ykman piv write-object

Usage:

 ykman piv write-object [OPTIONS] OBJECT-ID DATA

Description:

Write an arbitrary PIV object.

Write a PIV object by providing the object id. Yubico writable PIV objects

are available in the range 5f0000 - 5fffff.

OBJECT-ID Id of PIV object in HEX.

DATA File containing the data to be written. Use '-' to use stdin.

Options:

-P, --pin TEXT             PIN code.
-m, --management-key TEXT  The management key.
-h, --help                 Show this message and exit.

Examples:

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.