The following pktool(1) subcommands specifically support KMF:
Delete objects in the keystore.
Download a CRL or certificate file from an external source.
Export objects from the keystore to a file.
Create a self-signed X.509v3 certificate.
Create a PKCS#10 Certificate Signing Request (CSR) file.
Create a symmetric key in the keystore.
Displays a help message.
Import objects from an external source.
Initialize a PKCS#11 token.
List a summary of objects in the keystore.
Change user authentication passphrase for keystore access.
Sign a PKCS#10 CSR.
List all visible PKCS#11 tokens.