PIVKey Tool Commands

The PIVKeyTool is a command line tool that is provided in the PIVKey Admin Tools download.  To use it, Open A Command Window and navigate to the directory where the PIVKey Admin Tools were installed, the default is C:\Program Files (x86)\PIVKey Installer\PIVKey Admin Tools.  

Type cd C:\Program Files (x86)\PIVKey Installer\PIVKey Admin Tools and press Enter to navigate there.

Type pivkeytool --help to display information about all the PIVKeyTool options.

Below are some examples of how to use the PIVKeyTool.  In them, the default user PIN 000000 and the default Admin Key 000000000000000000000000000000000000000000000000 are shown, changing the defaults from zeros to ones.  Sample output for other commands is provided at the bottom of this article.

Examples:

To change the User PIN type:  pivkeytool --changepin "111111" --userpin "000000"

To change the Admin Key type:  pivkeytool --changeadminkey "111111111111111111111111111111111111111111111111" --adminkey "000000000000000000000000000000000000000000000000"

To map the first four certificates to the PIV slots (see article for details on the default mapping) type:
pivkeytool --mapdefault --userpin "000000"

PIVKeyTool Options:PIVKeyToolCommands.PNG

Sample Output:

In the example below, there are six certificates on the card.  The Tester Pivkeys are names of example users that requested the certificates.  The kxc and ksc numbers are the certificate ID's.  The kxc certificates are logon certificates and the ksc certificates are signing certificates.

  • pivkeytool --listmd

Reader: OMNIKEY AG Smart Card Reader USB 0
Card ATR: 3B FC 18 00 00 81 31 80 45 90 67 46 4A 00 64 16 06 F2 72 7E 00 E0
Card protocol: T1
Card module: tagliov70p.dll

List C2 Certificates:
kxc00 Tester1 Pivkey
ksc01 Tester1 Pivkey
ksc02 Tester1 Pivkey
kxc03 Tester2 Pivkey
ksc04 Tester2 Pivkey
kxc05 Tester3 Pivkey

Next, we will use the default mapping command to map the first four certificates to PIV slots 9E, 9A, 9C, and 9D in that order.  This is the default mapping.

  • pivkeytool --mapdefault --userpin "000000"

Reader: OMNIKEY AG Smart Card Reader USB 0
Card ATR: 3B FC 18 00 00 81 31 80 45 90 67 46 4A 00 64 16 06 F2 72 7E 00 E0
Card protocol: T1
Card module: tagliov70p.dll
Userpin verified.
Cleared Piv Certificate mappings.
Starting default certificate mapping.
Default certificate mapping complete.

This command shows the PIV slot mappings and we can verify that the results of the mapdefault option are as expected.

  • pivkeytool --listpiv

Reader: OMNIKEY AG Smart Card Reader USB 0
Card ATR: 3B FC 18 00 00 81 31 80 45 90 67 46 4A 00 64 16 06 F2 72 7E 00 E0
Card protocol: T1
Card module: tagliov70p.dll

List Piv Certificate Mappings:
PivCert9A mapped to ksc01
PivCert9C mapped to ksc02
PivCert9D mapped to kxc03
PivCert9E mapped to kxc00

Mapping one PIV slot is shown below.

  • pivkeytool --mappiv9a kxc05 --userpin "000000"

Reader: OMNIKEY AG Smart Card Reader USB 0
Card ATR: 3B FC 18 00 00 81 31 80 45 90 67 46 4A 00 64 16 06 F2 72 7E 00 E0
Card protocol: T1
Card module: tagliov70p.dll
Userpin verified.
Piv9a mapping complete.

Finally, we show that new mapping of slot 9A.

  • pivkeytool --listpiv

Reader: OMNIKEY AG Smart Card Reader USB 0
Card ATR: 3B FC 18 00 00 81 31 80 45 90 67 46 4A 00 64 16 06 F2 72 7E 00 E0
Card protocol: T1
Card module: tagliov70p.dll

List Piv Certificate Mappings:
PivCert9A mapped to kxc05
PivCert9C mapped to ksc02
PivCert9D mapped to kxc03
PivCert9E mapped to kxc00

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk