* Invoking gnutls-serv::
* Invoking psktool::
* Invoking srptool::
+* Invoking p11tool::
@end menu
@node Invoking certtool
@end example
@end itemize
+
+@node Invoking p11tool
+@section Invoking p11tool
+@anchor{p11tool}
+@cindex p11tool
+
+The @file{p11tool} is a program that helps with accessing tokens
+and security modules that support the PKCS #11 API. It requires
+the individual PKCS #11 modules to be loaded either with the
+@code{--provider} option, or by setting up the GnuTLS configuration
+file for PKCS #11 as in @ref{sec:pkcs11}.
+
+@verbatim
+p11tool help
+Usage: p11tool [options]
+
+ --export URL Export an object specified by a pkcs11
+ URL
+ --list-tokens List all available tokens
+ --list-mechanisms URL List all available mechanisms in token.
+ --list-all List all objects specified by a PKCS#11
+ URL
+ --list-all-certs List all certificates specified by a
+ PKCS#11 URL
+ --list-certs List certificates that have a private
+ key specified by a PKCS#11 URL
+ --list-privkeys List private keys specified by a
+ PKCS#11 URL
+ --list-trusted List certificates marked as trusted,
+ specified by a PKCS#11 URL
+ --initialize URL Initializes a PKCS11 token.
+ --write URL Writes loaded certificates, private or
+ secret keys to a PKCS11 token.
+ --delete URL Deletes objects matching the URL.
+ --label label Sets a label for the write operation.
+ --trusted Marks the certificate to be imported as
+ trusted.
+ --login Force login to token
+ --detailed-url Export detailed URLs.
+ --no-detailed-url Export less detailed URLs.
+ --secret-key HEX_KEY Provide a hex encoded secret key.
+ --load-privkey FILE Private key file to use.
+ --load-pubkey FILE Private key file to use.
+ --load-certificate FILE
+ Certificate file to use.
+ -8, --pkcs8 Use PKCS #8 format for private keys.
+ --inder Use DER format for input certificates
+ and private keys.
+ --inraw Use RAW/DER format for input
+ certificates and private keys.
+ --provider Library Specify the pkcs11 provider library
+ --outfile FILE Output file.
+ -d, --debug LEVEL specify the debug level. Default is 1.
+ -h, --help shows this help text
+@end verbatim
+
+After being provided the available PKCS #11 modules, it can list all tokens
+available in your system, the objects on the tokens, and perform operations
+on them.
+
+Some examples on how to use p11tool:
+
+@itemize
+
+@item List all tokens
+@example
+$ p11tool --list-tokens
+@end example
+
+@item List all objects
+@example
+$ p11tool --login --list-all
+@end example
+
+@item To export an object
+@example
+$ p11tool --login --export pkcs11:(OBJECT URL)
+@end example
+
+@item To copy an object to a token
+@example
+$ p11tool --login --write pkcs11:(TOKEN URL) --load-certificate (certificate file) --label "my_cert"
+@end example
+
+@end itemize
+
+Note that typically PKCS #11 private key objects are not allowed
+to be extracted from the token.
+