1: .TH "PKI \-\-GEN" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
2: .
3: .SH "NAME"
4: .
5: pki \-\-gen \- Generate a new RSA or ECDSA private key
6: .
7: .SH "SYNOPSIS"
8: .
9: .SY pki\ \-\-gen
10: .OP \-\-type type
11: .OP \-\-size bits
12: .OP \-\-safe\-primes
13: .OP \-\-shares n
14: .OP \-\-threshold l
15: .OP \-\-outform encoding
16: .OP \-\-debug level
17: .YS
18: .
19: .SY pki\ \-\-gen
20: .BI \-\-options\~ file
21: .YS
22: .
23: .SY "pki \-\-gen"
24: .B \-h
25: |
26: .B \-\-help
27: .YS
28: .
29: .SH "DESCRIPTION"
30: .
31: This sub-command of
32: .BR pki (1)
33: is used to generate a new RSA or ECDSA private key.
34: .
35: .SH "OPTIONS"
36: .
37: .TP
38: .B "\-h, \-\-help"
39: Print usage information with a summary of the available options.
40: .TP
41: .BI "\-v, \-\-debug " level
42: Set debug level, default: 1.
43: .TP
44: .BI "\-+, \-\-options " file
45: Read command line options from \fIfile\fR.
46: .TP
47: .BI "\-t, \-\-type " type
48: Type of key to generate. Either \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR,
49: \fIed448\fR or \fIbliss\fR, defaults to \fIrsa\fR.
50: .TP
51: .BI "\-s, \-\-size " bits
52: Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR.
53: For \fIecdsa\fR only three values are currently supported: 256, 384 and 521.
54: .TP
55: .BI "\-p, \-\-safe\-primes"
56: Generate RSA safe primes.
57: .TP
58: .BI "\-f, \-\-outform " encoding
59: Encoding of the generated private key. Either \fIder\fR (ASN.1 DER) or \fIpem\fR
60: (Base64 PEM), defaults
61: to \fIder\fR.
62: .PP
63: .SS "RSA Threshold Cryptography"
64: .TP
65: .BI "\-n, \-\-shares " <n>
66: Number of private RSA key shares.
67: .TP
68: .BI "\-l, \-\-threshold " <l>
69: Minimum number of participating RSA key shares.
70: .
71: .SH "PROBLEMS ON HOSTS WITH LOW ENTROPY"
72: .
73: If the
74: .I gmp
75: plugin is used to generate RSA private keys the key material is read from
76: .I /dev/random
77: (via the
78: .I random
79: plugin). Therefore, the command may block if the system's entropy pool is empty.
80: To avoid this, either use a hardware random number generator to feed
81: .I /dev/random
82: or use OpenSSL (via the
83: .I openssl
84: plugin or the command line) which is not as strict in regards to the quality of
85: the key material (it reads from
86: .I /dev/urandom
87: if necessary). It is also possible to configure the devices used by the
88: .I random
89: plugin in
90: .BR strongswan.conf (5).
91: Setting
92: .B libstrongswan.plugins.random.random
93: to
94: .I /dev/urandom
95: forces the plugin to treat bytes read from
96: .I /dev/urandom
97: as high grade random data, thus avoiding the blocking. Of
98: course, this doesn't change the fact that the key material generated this way is
99: of lower quality.
100: .
101: .SH "EXAMPLES"
102: .
103: .TP
104: .B pki \-\-gen \-\-size 3072 > rsa_key.der
105: Generates a 3072-bit RSA private key.
106: .
107: .TP
108: .B pki \-\-gen \-\-type ecdsa \-\-size 256 > ecdsa_key.der
109: Generates a 256-bit ECDSA private key.
110: .
111: .SH "SEE ALSO"
112: .
113: .BR pki (1)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>