NAME¶
pki --gen - Generate a new RSA or ECDSA private key
SYNOPSIS¶
pki --gen |
[--type type]
[--size bits]
[--safe-primes]
[--shares n]
[--threshold l]
[--outform encoding]
[--debug level] |
DESCRIPTION¶
This sub-command of pki(1) is used to generate a new RSA or
ECDSA private key.
OPTIONS¶
- -h, --help
- Print usage information with a summary of the available options.
- -v, --debug
level
- Set debug level, default: 1.
- -+, --options file
- Read command line options from file.
- -t, --type
type
- Type of key to generate. Either rsa, ecdsa, ed25519,
ed448 or bliss, defaults to rsa.
- -s, --size
bits
- Key length in bits. Defaults to 2048 for rsa and 384 for
ecdsa. For ecdsa only three values are currently supported:
256, 384 and 521.
- -p, --safe-primes
- Generate RSA safe primes.
- -f, --outform
encoding
- Encoding of the generated private key. Either der (ASN.1 DER) or
pem (Base64 PEM), defaults to der.
PROBLEMS ON HOSTS WITH LOW ENTROPY¶
If the gmp plugin is used to generate RSA private keys the
key material is read from /dev/random (via the random plugin).
Therefore, the command may block if the system's entropy pool is empty. To
avoid this, either use a hardware random number generator to feed
/dev/random or use OpenSSL (via the openssl plugin or the
command line) which is not as strict in regards to the quality of the key
material (it reads from /dev/urandom if necessary). It is also
possible to configure the devices used by the random plugin in
strongswan.conf(5). Setting
libstrongswan.plugins.random.random to /dev/urandom forces the
plugin to treat bytes read from /dev/urandom as high grade random
data, thus avoiding the blocking. Of course, this doesn't change the fact
that the key material generated this way is of lower quality.