IPSEC_NEWHOSTKEY(8) | Executable programs | IPSEC_NEWHOSTKEY(8) |
NAME¶
ipsec_newhostkey - generate a new raw RSA authentication key for a hostSYNOPSIS¶
ipsec newhostkey [[--quiet] | [--verbose]] [--nssdirnssdir] [--password password] [--bits bits] [--seeddev device] [--hostname hostname] [--output filename]
DESCRIPTION¶
newhostkey generates an RSA public/private key pair suitable for authenticating this host is generated and stored in the NSS database.See ipsec_showhostkey(8) for how to extract the public key from the NSS database.
Output Options¶
--output filenameThe --output option specifies an
ipsec.secrets formatted file (see ipsec.secrets(5)). to store
the public key information. If the file does not exist, it is created under
umask 077. If the file already exists and is non-empty, a warning
message about that is written to standard error, and the output is appended to
the file.
--quiet
The --quiet option suppresses both the
rsasigkey narrative and the existing-file warning message.
--nssdir nssdir
The --nssdir option specifies the NSS DB directory
where the certificate key, and modsec databases reside (default
/var/lib/ipsec/nss)
--password password
The --password option specifies a module
authentication password that may be required if FIPS mode is
enabled.
--bits bits
The --bits option specifies the number of bits in
the RSA key; the current default is a random (multiple of 16) value between
3072 and 4096. The minimum allowed is 2192.
--seeddev device
The --seeddev is used to specify the random device
(default /dev/random used to seed the crypto library RNG.
--hostname hostname
The --hostname option is passed through to
rsasigkey to tell it what host name to label the output with (via its
--hostname option).
FILES¶
/dev/random, /dev/urandomSEE ALSO¶
ipsec_rsasigkey(8), ipsec_showhostkey(8), ipsec.secrets(5)HISTORY¶
Originally written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer. Updated by Paul WoutersBUGS¶
As with rsasigkey, the run time is difficult to predict, since depletion of the system's randomness pool can cause arbitrarily long waits for random bits for seeding the NSS library, and the prime-number searches can also take unpredictable (and potentially large) amounts of CPU time. See ipsec_rsasigkey(8) .A higher-level tool that could handle the clerical details of changing to a new key would be helpful.
AUTHOR¶
Paul Woutersplaceholder to suppress warning
05/13/2020 | libreswan |