|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
Packit |
5ce601 |
-
|
|
Packit |
5ce601 |
- This Source Code Form is subject to the terms of the Mozilla Public
|
|
Packit |
5ce601 |
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
Packit Service |
704ed8 |
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
Packit |
5ce601 |
-
|
|
Packit |
5ce601 |
- See the COPYRIGHT file distributed with this work for additional
|
|
Packit |
5ce601 |
- information regarding copyright ownership.
|
|
Packit |
5ce601 |
-->
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
|
|
Packit Service |
d3afd5 |
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">
|
|
Packit |
5ce601 |
<info>
|
|
Packit |
5ce601 |
<date>2014-01-15</date>
|
|
Packit |
5ce601 |
</info>
|
|
Packit |
5ce601 |
<refentryinfo>
|
|
Packit |
5ce601 |
<corpname>ISC</corpname>
|
|
Packit |
5ce601 |
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
|
|
Packit |
5ce601 |
</refentryinfo>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refmeta>
|
|
Packit |
5ce601 |
<refentrytitle><application>pkcs11-keygen</application></refentrytitle>
|
|
Packit |
5ce601 |
<manvolnum>8</manvolnum>
|
|
Packit Service |
d3afd5 |
<refmiscinfo>BIND9</refmiscinfo>
|
|
Packit |
5ce601 |
</refmeta>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refnamediv>
|
|
Packit |
5ce601 |
<refname><application>pkcs11-keygen</application></refname>
|
|
Packit |
5ce601 |
<refpurpose>generate keys on a PKCS#11 device</refpurpose>
|
|
Packit |
5ce601 |
</refnamediv>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<docinfo>
|
|
Packit |
5ce601 |
<copyright>
|
|
Packit |
5ce601 |
<year>2009</year>
|
|
Packit |
5ce601 |
<year>2014</year>
|
|
Packit |
5ce601 |
<year>2015</year>
|
|
Packit |
5ce601 |
<year>2016</year>
|
|
Packit |
5ce601 |
<year>2017</year>
|
|
Packit |
5ce601 |
<year>2018</year>
|
|
Packit |
5ce601 |
<year>2019</year>
|
|
Packit |
5ce601 |
<year>2020</year>
|
|
Packit |
5ce601 |
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
|
Packit |
5ce601 |
</copyright>
|
|
Packit |
5ce601 |
</docinfo>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsynopsisdiv>
|
|
Packit |
5ce601 |
<cmdsynopsis sepchar=" ">
|
|
Packit |
5ce601 |
<command>pkcs11-keygen</command>
|
|
Packit |
5ce601 |
<arg choice="req" rep="norepeat">-a <replaceable class="parameter">algorithm</replaceable></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-e</option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">id</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-S</option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="req" rep="norepeat">label</arg>
|
|
Packit |
5ce601 |
</cmdsynopsis>
|
|
Packit |
5ce601 |
</refsynopsisdiv>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>DESCRIPTION</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
<command>pkcs11-keygen</command> causes a PKCS#11 device to generate
|
|
Packit |
5ce601 |
a new key pair with the given <option>label</option> (which must be
|
|
Packit |
5ce601 |
unique) and with <option>keysize</option> bits of prime.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>ARGUMENTS</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<variablelist>
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Specify the key algorithm class: Supported classes are RSA,
|
|
Packit |
5ce601 |
DSA, DH, ECC and ECX. In addition to these strings, the
|
|
Packit |
5ce601 |
<option>algorithm</option> can be specified as a DNSSEC
|
|
Packit |
5ce601 |
signing algorithm that will be used with this key; for
|
|
Packit |
5ce601 |
example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
|
|
Packit |
5ce601 |
to ECC, and ED25519 to ECX. The default class is "RSA".
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-b <replaceable class="parameter">keysize</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Create the key pair with <option>keysize</option> bits of
|
|
Packit |
5ce601 |
prime. For ECC keys, the only valid values are 256 and 384,
|
|
Packit |
5ce601 |
and the default is 256. For ECX kyes, the only valid values
|
|
Packit |
5ce601 |
are 256 and 456, and the default is 256.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-e</term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
For RSA keys only, use a large exponent.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-i <replaceable class="parameter">id</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Create key objects with id. The id is either
|
|
Packit |
5ce601 |
an unsigned short 2 byte or an unsigned long 4 byte number.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-m <replaceable class="parameter">module</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Specify the PKCS#11 provider module. This must be the full
|
|
Packit |
5ce601 |
path to a shared library object implementing the PKCS#11 API
|
|
Packit |
5ce601 |
for the device.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-P</term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Set the new private key to be non-sensitive and extractable.
|
|
Packit |
5ce601 |
The allows the private key data to be read from the PKCS#11
|
|
Packit |
5ce601 |
device. The default is for private keys to be sensitive and
|
|
Packit |
5ce601 |
non-extractable.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-p <replaceable class="parameter">PIN</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Specify the PIN for the device. If no PIN is provided on
|
|
Packit |
5ce601 |
the command line, <command>pkcs11-keygen</command> will
|
|
Packit |
5ce601 |
prompt for it.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-q</term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Quiet mode: suppress unnecessary output.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-S</term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
For Diffie-Hellman (DH) keys only, use a special prime of
|
|
Packit |
5ce601 |
768, 1024 or 1536 bit size and base (aka generator) 2.
|
|
Packit |
5ce601 |
If not specified, bit size will default to 1024.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-s <replaceable class="parameter">slot</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Open the session with the given PKCS#11 slot. The default is
|
|
Packit |
5ce601 |
slot 0.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
</variablelist>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>SEE ALSO</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
<citerefentry>
|
|
Packit |
5ce601 |
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
|
|
Packit |
5ce601 |
</citerefentry>,
|
|
Packit |
5ce601 |
<citerefentry>
|
|
Packit |
5ce601 |
<refentrytitle>pkcs11-list</refentrytitle><manvolnum>8</manvolnum>
|
|
Packit |
5ce601 |
</citerefentry>,
|
|
Packit |
5ce601 |
<citerefentry>
|
|
Packit |
5ce601 |
<refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>
|
|
Packit |
5ce601 |
</citerefentry>,
|
|
Packit |
5ce601 |
<citerefentry>
|
|
Packit |
5ce601 |
<refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>8</manvolnum>
|
|
Packit |
5ce601 |
</citerefentry>
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
</refentry>
|