1IPSEC_NEWHOSTKEY(8)           Executable programs          IPSEC_NEWHOSTKEY(8)
2
3
4

NAME

6       ipsec_newhostkey - generate a new raw RSA authentication key for a host
7

SYNOPSIS

9       ipsec newhostkey [[--quiet] | [--verbose]] [--nssdirnssdir]
10             [--password password] [--bits bits] [--seeddev device]
11             [--hostname hostname] [--output filename]
12

DESCRIPTION

14       newhostkey generates an RSA public/private key pair suitable for
15       authenticating this host is generated and stored in the NSS database.
16
17       See ipsec_showhostkey(8) for how to extract the public key from the NSS
18       database.
19
20   Output Options
21       --output filename
22           The --output option specifies an ipsec.secrets formatted file (see
23           ipsec.secrets(5)). to store the public key information. If the file
24           does not exist, it is created under umask 077. If the file already
25           exists and is non-empty, a warning message about that is written to
26           standard error, and the output is appended to the file.
27
28       --quiet
29           The --quiet option suppresses both the rsasigkey narrative and the
30           existing-file warning message.
31
32       --nssdir nssdir
33           The --nssdir option specifies the NSS DB directory where the
34           certificate key, and modsec databases reside (default /etc/ipsec.d)
35
36       --password password
37           The --password option specifies a module authentication password
38           that may be required if FIPS mode is enabled.
39
40       --bits bits
41           The --bits option specifies the number of bits in the RSA key; the
42           current default is a random (multiple of 16) value between 3072 and
43           4096. The minimum allowed is 2192.
44
45       --seeddev device
46           The --seeddev is used to specify the random device (default
47           /dev/random used to seed the crypto library RNG.
48
49       --hostname hostname
50           The --hostname option is passed through to rsasigkey to tell it
51           what host name to label the output with (via its --hostname
52           option).
53

FILES

55       /dev/random, /dev/urandom
56

SEE ALSO

58       ipsec_rsasigkey(8), ipsec_showhostkey(8), ipsec.secrets(5)
59

HISTORY

61       Originally written for the Linux FreeS/WAN project
62       <https://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters
63

BUGS

65       As with rsasigkey, the run time is difficult to predict, since
66       depletion of the system's randomness pool can cause arbitrarily long
67       waits for random bits for seeding the NSS library, and the prime-number
68       searches can also take unpredictable (and potentially large) amounts of
69       CPU time. See ipsec_rsasigkey(8) .
70
71       A higher-level tool that could handle the clerical details of changing
72       to a new key would be helpful.
73

AUTHOR

75       Paul Wouters
76           placeholder to suppress warning
77
78
79
80libreswan                         04/14/2020               IPSEC_NEWHOSTKEY(8)
Impressum