1PKI --GEN(1)                      strongSwan                      PKI --GEN(1)
2
3
4

NAME

6       pki --gen - Generate a new RSA or ECDSA private key
7

SYNOPSIS

9       pki --gen [--type type] [--size bits] [--safe-primes] [--shares n]
10                 [--threshold l] [--outform encoding] [--debug level]
11
12       pki --gen --options file
13
14       pki --gen -h | --help
15

DESCRIPTION

17       This sub-command of pki(1) is used to generate a new RSA or ECDSA  pri‐
18       vate key.
19

OPTIONS

21       -h, --help
22              Print usage information with a summary of the available options.
23
24       -v, --debug level
25              Set debug level, default: 1.
26
27       -+, --options file
28              Read command line options from file.
29
30       -t, --type type
31              Type  of  key  to generate. Either rsa, ecdsa, ed25519 or bliss,
32              defaults to rsa.
33
34       -s, --size bits
35              Key length in bits. Defaults to 2048 for rsa and 384 for  ecdsa.
36              For  ecdsa  only  three values are currently supported: 256, 384
37              and 521.
38
39       -p, --safe-primes
40              Generate RSA safe primes.
41
42       -f, --outform encoding
43              Encoding of the generated private key. Either der (ASN.1 DER) or
44              pem (Base64 PEM), defaults to der.
45
46   RSA Threshold Cryptography
47       -n, --shares <n>
48              Number of private RSA key shares.
49
50       -l, --threshold <l>
51              Minimum number of participating RSA key shares.
52

PROBLEMS ON HOSTS WITH LOW ENTROPY

54       If the gmp plugin is used to generate RSA private keys the key material
55       is read from /dev/random (via the random plugin). Therefore,  the  com‐
56       mand  may  block if the system's entropy pool is empty.  To avoid this,
57       either use a hardware random number generator to  feed  /dev/random  or
58       use  OpenSSL  (via the openssl plugin or the command line) which is not
59       as strict in regards to the quality of the key material (it reads  from
60       /dev/urandom  if  necessary).  It  is  also  possible  to configure the
61       devices used by the random plugin in strongswan.conf(5).  Setting  lib‐
62       strongswan.plugins.random.random  to  /dev/urandom forces the plugin to
63       treat bytes read from /dev/urandom as  high  grade  random  data,  thus
64       avoiding the blocking. Of course, this doesn't change the fact that the
65       key material generated this way is of lower quality.
66

EXAMPLES

68       pki --gen --size 3072 > rsa_key.der
69              Generates a 3072-bit RSA private key.
70
71       pki --gen --type ecdsa --size 256 > ecdsa_key.der
72              Generates a 256-bit ECDSA private key.
73

SEE ALSO

75       pki(1)
76
77
78
795.7.2                             2016-12-13                      PKI --GEN(1)
Impressum