Hidden Commands
The commands described here are listed when you run the command, ykman --full-help.
ykman apdu [OPTIONS] [APDU]
Execute arbitrary Application Protocol Data Unit (APDUs). Provide APDUs as a hex encoded, space-separated list using the following syntax: [CLA]INS[P1P2][:DATA][/LE][=EXPECTED_SW]
If not provided CLA, P1 and P2 are all set to zero. Setting EXPECTED_SW causes the command to check the response SW and fail if it differs. “=” can be used as shorthand for “=9000” (SW=OK).
Examples
Select the OATH application, send a LIST instruction (0xA1), and make sure we get sw=9000 (these are equivalent):
$ ykman apdu a40400:a000000527210101=9000 a1=9000
or
$ ykman apdu -a oath a1=
Factory reset the OATH application:
$ ykman apdu -a oath 04dead
or
$ ykman apdu a40400:a000000527210101 04dead
or (using full-apdu mode)
$ ykman apdu -s 00a4040008a000000527210101 -s 0004dead
Get 8 random bytes from the OpenPGP application:
$ ykman apdu -a openpgp 84/08=
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-a, --app [otp|management|openpgp|oath|piv|fido|hsmauth|secure-domain] |
Select application. |
-s, --send-apdu TEXT |
Provide full APDUs. |
--short |
Force usage of short APDUs. |
-x, --no-pretty |
Print only the hex output of a response. |
ykman sd [OPTIONS] COMMAND [ARGS]
Manage the Security Domain (SD) application, which holds keys for Secure Copy Protocol (SCP).
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
Commands
| Commmand | Description |
|---|---|
info |
List keys in the Security Domain of the YubiKey. |
keys |
Manage SCP keys. |
reset |
Reset all Security Domain data. |
ykman sd info [OPTIONS]
List keys in the Security Domain of the YubiKey.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
ykman sd keys [OPTIONS] COMMAND [ARGS]
Manage SCP keys.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
Commands
| Commmand | Description |
|---|---|
delete |
Delete a key or keyset. |
export |
Export certificate chain for a key. |
generate |
Generate an asymmetric key pair. |
import |
Import a key or certificate. |
set-allowlist |
Set an allowlist of certificate serial numbers for a key. |
ykman sd keys delete [OPTIONS] KID KVN
Deletes the key or keyset with the given Key ID (KID) and Key Version Number (KVN). Set either KID or KVN to 0 to use it as a wildcard and delete all keys matching the specific KID or KVN.
Arguments
| Argument | Description |
|---|---|
KID KVN |
Key reference for the key to delete. |
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
| `` -f, –force`` | Confirm the action without prompting. |
ykman sd keys export [OPTIONS] KID KVN OUTPUT
Export certificate chain for a key.
Arguments
| Argument | Description |
|---|---|
KID KVN |
Key reference for the certificate chain
to output.
|
OUTPUT |
File to write the certificate chain to,
Use ‘-’ to use stdout.
|
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
ykman sd keys generate [OPTIONS] KID KVN PUBLIC-KEY
Generate an asymmetric key pair. The private key is generated on the YubiKey, and written to one of the slots.
Arguments
| Argument | Description |
|---|---|
KID KVN |
Key reference for the new key.
|
PUBLIC-KEY |
File containing the generated public key
Use ‘-’ to use stdout.
|
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-r, --replace-kvn INTEGER |
Replace an existing key of the same type,
the same KID.
|
ykman sd keys import [OPTIONS] KID KVN INPUT
Import a key or certificate.
KID 0x01 expects the input to be a “:”-separated triple of K-ENC:K-MAC:K-DEK.
KID 0x11, 0x13, 0x15 expect the input to be a file containing a private key and (optionally) a certificate chain.
KID 0x10, 0x20-0x2F expect the file to contain a CA-KLOC certificate.
Arguments
| Argument | Description |
|---|---|
KID KVN |
Key reference for the new key. |
INPUT |
SCP03 keyset, or input file.
Use ‘-’ to use stdout.
|
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-p, --password TEXT |
Password used to decrypt the file,
if needed.
|
-r, --replace-kvn INTEGER |
Replace an existing key of the same type,
the same KID.
|
ykman sd keys set-allowlist [OPTIONS] KID KVN [SERIALS]
Set an allowlist of certificate serial numbers for a key.
Each certificate in the chain used when authenticating an SCP11a/c session is checked and rejected if their serial number is not in this allowlist.
Arguments
| Argument | Description |
|---|---|
KID KVN |
Key reference for the allowlist to set. |
SERIALS |
Serial numbers of certificates to allow. Separate serial numbers using a space. |
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |