@deftypefun {int} {gnutls_pkcs11_privkey_generate3} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, const gnutls_datum_t * @var{cid}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{pubkey}, unsigned int @var{key_usage}, unsigned int @var{flags})
@var{url}: a token URL

@var{pk}: the public key algorithm

@var{bits}: the security bits

@var{label}: a label

@var{cid}: The CKA_ID to use for the new object

@var{fmt}: the format of output params. PEM or DER

@var{pubkey}: will hold the public key (may be @code{NULL} )

@var{key_usage}: One of GNUTLS_KEY_*

@var{flags}: zero or an OR'ed sequence of @code{GNUTLS_PKCS11_OBJ_FLAGs} 

This function will generate a private key in the specified
by the  @code{url} token. The private key will be generate within
the token and will not be exportable. This function will
store the DER-encoded public key in the SubjectPublicKeyInfo format 
in  @code{pubkey} . The  @code{pubkey} should be deinitialized using @code{gnutls_free()} .

Note that when generating an elliptic curve key, the curve
can be substituted in the place of the bits parameter using the
@code{GNUTLS_CURVE_TO_BITS()}  macro.

Since 3.6.3 the objects are marked as sensitive by default unless
@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE}  is specified.

@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS}  (0) is returned, otherwise a
negative error value.

@strong{Since:} 3.4.0
@end deftypefun