'\" t .\" Title: IPSEC_NEWHOSTKEY .\" Author: Paul Wouters .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 06/02/2023 .\" Manual: Executable programs .\" Source: libreswan .\" Language: English .\" .TH "IPSEC_NEWHOSTKEY" "8" "06/02/2023" "libreswan" "Executable programs" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" ipsec_newhostkey \- generate a new raw RSA authentication key for a host .SH "SYNOPSIS" .HP \w'\fBipsec\fR\ 'u \fBipsec\fR \fInewhostkey\fR [[\-\-quiet] | [\-\-verbose]] [\-\-nssdir\fInssdir\fR] [\-\-password\ \fIpassword\fR] [\-\-bits\ \fIbits\fR] [\-\-curve\ \fIcurve\fR] [\-\-keytype\ \fIrsa|ecdsa\fR] [\-\-seeddev\ \fIdevice\fR] .SH "DESCRIPTION" .PP \fInewhostkey\fR generates an RSA public/private key pair suitable for authenticating this host is generated and stored in the NSS database\&. .PP See \fBipsec_showhostkey\fR(8) for how to extract the public key from the NSS database\&. .SS "Output Options" .PP \fB\-\-quiet\fR .RS 4 The \fB\-\-quiet\fR option suppresses both the \fIrsasigkey\fR narrative and the existing\-file warning message\&. .RE .PP \fB\-\-nssdir\fR\ \&\fInssdir\fR .RS 4 The \fB\-\-nssdir\fR option specifies the NSS DB directory where the certificate key, and modsec databases reside (default /var/lib/ipsec/nss) .RE .PP \fB\-\-password\fR\ \&\fIpassword\fR .RS 4 The \fB\-\-password\fR option specifies a module authentication \fIpassword\fR that may be required if FIPS mode is enabled\&. .RE .PP \fB\-\-bits\fR\ \&\fIbits\fR .RS 4 The \fB\-\-bits\fR option specifies the number of bits in the RSA key; the current default is a random (multiple of 16) value between 3072 and 4096\&. The minimum allowed is 2192\&. .RE .PP \fB\-\-curve\fR\ \&\fIcurve\fR .RS 4 The \fB\-\-curve\fR option specifies the named curve used in the ECDSA key; the current default is secp256r1\&. See \fBipsec_ecdsasigkey\fR(8) for the available curve names\&. .RE .PP \fB\-\-keytype\fR\ \&\fIrsa|ecdsa\fR .RS 4 The \fB\-\-keytype\fR option specifies the type of key, which can either be \fIrsa\fR (RSA) or \fIecdsa\fR (ECDSA); if omitted the current default is \fIrsa\fR\&. .RE .PP \fB\-\-seeddev\fR\ \&\fIdevice\fR .RS 4 The \fB\-\-seeddev\fR is used to specify the random device (default /dev/random used to seed the crypto library RNG\&. .RE .SH "FILES" .PP /dev/random, /dev/urandom .SH "SEE ALSO" .PP \fBipsec_rsasigkey\fR(8), \fBipsec_showhostkey\fR(8), \fBipsec.secrets\fR(5) .SH "HISTORY" .PP Originally written for the Linux FreeS/WAN project <\m[blue]\fBhttps://www\&.freeswan\&.org\fR\m[]> by Henry Spencer\&. Updated by Paul Wouters .SH "BUGS" .PP As with \fIrsasigkey\fR, the run time is difficult to predict, since depletion of the system\*(Aqs randomness pool can cause arbitrarily long waits for random bits for seeding the NSS library, and the prime\-number searches can also take unpredictable (and potentially large) amounts of CPU time\&. See \fBipsec_rsasigkey\fR(8) \&. .SH "AUTHOR" .PP \fBPaul Wouters\fR .RS 4 placeholder to suppress warning .RE