'\" t .\" Title: IPSEC-NEWHOSTKEY .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 03/14/2024 .\" Manual: Executable programs .\" Source: Libreswan 5.0~rc2 .\" Language: English .\" .TH "IPSEC\-NEWHOSTKEY" "8" "03/14/2024" "Libreswan 5.0~rc2" "Executable programs" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" ipsec-newhostkey \- generate a new raw RSA authentication key for a host .SH "SYNOPSIS" .HP \w'\fBipsec\fR\ 'u \fBipsec\fR \fInewhostkey\fR [[\-\-quiet] | [\-\-verbose]] [\-\-nssdir\fInssdir\fR] [\-\-password\ \fIpassword\fR] [\-\-bits\ \fIbits\fR] [\-\-curve\ \fIcurve\fR] [\-\-keytype\ \fIrsa|ecdsa\fR] [\-\-seeddev\ \fIdevice\fR] .SH "DESCRIPTION" .PP \fBnewhostkey\fR generates an RSA public/private key pair suitable for authenticating this host is generated and stored in the NSS database\&. .PP See \fBipsec-showhostkey\fR(8) for how to extract the public key from the NSS database\&. .SS "Output Options" .PP \fB\-\-quiet\fR .RS 4 The \fB\-\-quiet\fR option suppresses both the \fBrsasigkey\fR narrative and the existing\-file warning message\&. .RE .PP \fB\-\-nssdir \fR\fB\fI/var/lib/ipsec/nss\fR\fR .RS 4 The \fB\-\-nssdir\fR option specifies the NSS DB directory where the certificate key, and modsec databases reside (default /var/lib/ipsec/nss) .RE .PP \fB\-\-password \fR\fB\fIpassword\fR\fR .RS 4 The \fB\-\-password\fR option specifies a module authentication \fIpassword\fR that may be required if FIPS mode is enabled\&. .RE .PP \fB\-\-bits \fR\fB\fIbits\fR\fR .RS 4 The \fB\-\-bits\fR option specifies the number of bits in the RSA key; the current default is a random (multiple of 16) value between 3072 and 4096\&. The minimum allowed is 2192\&. .RE .PP \fB\-\-curve \fR\fB\fIcurve\fR\fR .RS 4 The \fB\-\-curve\fR option specifies the named curve used in the ECDSA key; the current default is secp256r1\&. See \fBipsec-ecdsasigkey\fR(8) for the available curve names\&. .RE .PP \fB\-\-keytype \fR\fB\fIrsa|ecdsa\fR\fR .RS 4 The \fB\-\-keytype\fR option specifies the type of key, which can either be \fIrsa\fR (RSA) or \fIecdsa\fR (ECDSA); if omitted the current default is \fIrsa\fR\&. .RE .PP \fB\-\-seeddev \fR\fB\fIdevice\fR\fR .RS 4 The \fB\-\-seeddev\fR is used to specify the random device (default /dev/random used to seed the crypto library RNG\&. .RE .SH "FILES" .PP /dev/random, /dev/urandom .SH "SEE ALSO" .PP \fBipsec-rsasigkey\fR(8), \fBipsec-showhostkey\fR(8), \fBipsec.secrets\fR(5) .SH "HISTORY" .PP Originally written for the Linux FreeS/WAN project <\m[blue]\fBhttps://www\&.freeswan\&.org\fR\m[]> by Henry Spencer\&. Updated by Paul Wouters .SH "BUGS" .PP As with \fBrsasigkey\fR, the run time is difficult to predict, since depletion of the system\*(Aqs randomness pool can cause arbitrarily long waits for random bits for seeding the NSS library, and the prime\-number searches can also take unpredictable (and potentially large) amounts of CPU time\&. See \fBipsec-rsasigkey\fR(8)\&. .SH "AUTHOR" .PP Paul Wouters