--- /dev/null
+.TH p11tool 1 "November 11th 2010"
+.SH NAME
+p11tool \- Manipulate PKCS #11 tokens.
+.SH SYNOPSIS
+p11tool [\fIoptions\fR]
+.SH DESCRIPTION
+Export/import data from PKCS #11 tokens. To use PKCS #11 tokens with
+gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and
+contain a number of lines of the form "load=/usr/lib/opensc-pkcs11.so".
+.SH OPTIONS
+.SS Program control options
+.IP "\-d, \-\-debug LEVEL"
+Specify the debug level. Default is 1.
+.IP "\-h, \-\-help"
+Shows this help text
+
+.SS Generic options
+.IP "\-\-login"
+Force login to the token for the intended operation.
+.IP "\-\-provider MODULE"
+In addition to /etc/gnutls/pkcs11.conf, load the specified module.
+.IP "\-\-outfile FILE"
+Print output to FILE.
+.IP "\-\-inder, \-\-inraw"
+Input is DER formatted.
+
+.SS Getting information on available X.509 certificates
+.IP "\-\-list\-tokens"
+Prints all available tokens.
+.IP "\-\-initialize URL"
+Initializes (formats) the specified by the URL token. Note that
+several tokens do not support this fascility.
+
+.SS Getting information on available X.509 certificates
+.IP "\-\-list\-all\-certs"
+Prints all available certificates.
+.IP "\-\-list\-certs"
+Prints all certificates that have a corresponding private key stored in the token.
+.IP "\-\-list\-trusted"
+Prints all certificates that have been marked as trusted.
+
+.SS Getting information on private keys
+.IP "\-\-list\-privkeys"
+Prints all available private keys.
+
+.SS Handling generic objects
+.IP "\-\-export URL"
+Exports the object (e.g. certificate) specified by the URL.
+.IP "\-\-delete URL"
+Deletes the object specified by the URL. Note that several tokens do not
+support deletion.
+.IP "\-\-detailed-url"
+When printing URLs print them in a detailed (to the PKCS #11 module used)
+form.
+.IP "\-\-no\-detailed-url"
+When printing URLs, do not print details on the module used.
+
+.SS Storing objects
+.IP "\-\-write URL"
+Flag to set when writing an object. Requires one of \-\-load\-privkey, \-\-load\-pubkey,
+\-\-load\-certificate or \-\-secret\-key options.
+.IP "\-\-load\-privkey"
+Load a private key for the write operations.
+.IP "\-\-load\-pubkey"
+Load an X.509 subjectPublicKey for the write operation.
+.IP "\-\-load\-certificate"
+Load an X.509 certificate for the write operation.
+.IP "\-\-secret\-key"
+Specify a hex encoded secret key for the write operation.
+.IP "\-\-trusted"
+The object stored will be marked as trusted.
+.IP "\-\-label"
+The label of the object stored.
+
+.SS Controlling output
+.IP "\-8, \-\-pkcs8"
+Use PKCS #8 format for private keys.
+
+.SH EXAMPLES
+To store a private key and certificate, run:
+
+.RS
+.nf
+$ p11tool \-\-login \-\-write "pkcs11:XXX" \-\-load-privkey key.pem --label "MyKey"
+$ p11tool \-\-login \-\-write "pkcs11:XXX" \-\-load-certificate cert.pem --label "MyCert"
+.fi
+.RE
+
+To view all objects in a token, use:
+
+.RS
+.nf
+$ p11tool \-\-login \-\-list\-all
+.fi
+.RE
+
+.SH AUTHOR
+.PP
+Nikos Mavrogiannopoulos <nmav@gnutls.org> and others; see
+/usr/share/doc/gnutls\-bin/AUTHORS for a complete list.