Number of the reader to use. By default, the first reader with a present card is used. If arg is an ATR, the reader with a matching card will be chosen.

Causes dtrust-tool to wait for the token to be inserted into reader.

D-Trust Card 5 comes with a Card Access Number (CAN) printed onto the card. The purpose of this number is to establish a secure communication channel between the card and the card reader. In normal operation dtrust-tool automatically prompts for the CAN when necessary. Under certain circumstances dtrust-tool cannot decide whether the CAN is necessary.

There are several ways to provide a CAN. See the dtrust section in the opensc.conf manpage for details. With this parameter dtrust-tool will prompt interactively for a CAN, bypassing all other sources. This is useful if you:

Once the CAN is cached, you do not need this parameter anymore.

Show the status of the various PINs. The Card Holder PIN is used for advanced signatures and decryption. It is only defined for signature cards, but not for sealing cards. The signature PIN is used for qualified signatures. It can only be used if it is unlocked by presenting the Transport PIN. Once the Transport PIN is used, it cannot be used anymore. The PUK is used to unlock PIN which had beend entered incorrectly several times.

In the delivery state the card is locked by a so called transport protection. This option allows to check if the transport protection is still in force. The Signature PIN can only be used if the transport protection is removed.

Initially the transport protection should be intact. If you receive a new card and the transport protection was already broken, don't use that card and contact the producer for further advice.

If you removed the transport protection, it is normal that dtrust-tool reports the transport protection as broken. This is the normal operation state. It does not mean your card is broken.

This command removes the transport protection. It first queries the Transport PIN and then the new value of the Signature PIN twice.

Change the specified PIN. The following PINs can be changed:

It is not recommended to change the PUK.

To change a PIN, you first have to enter the old PIN and then the new PIN value two times.

This option specifies the PIN to verify for changing the PIN specified with the --change-pin command. The only useful application of this option is to reset the cardholder PIN (PIN.CH) of D-Trust 4.1 cards by providing the cardholder PUK (PUK.CH). In all other cases, a PIN may only changed by providing its current value.

Resume a suspended PIN. This matters only for the PUK (PUK.CH) of D-Trust 5 cards. After two unsuccessful attempts to verify the PUK, the PUK is suspended. To resume the suspended PUK you first have to input the CAN and then the value of the suspended PUK. If you enter the wrong PUK again, the PUK is finally blocked and cannot be recovered.

To resume a suspended transport PIN use --unlock-transport-protection together with --can.

Reset the retry counter of a PIN to its default value. To unblock a PIN, you first have to provide the PUK. The following PINs can be unblocked:

It is impossible to unblock a blocked PUK.

Please keep in mind that the PUK may only be used a limited number of times (48 times for D-Trust Card 4 and 5).

Print help message on screen.

Causes dtrust-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.