ipsec_newhostkey(8)

1IPSEC_RANBITS(8)              Executable programs             IPSEC_RANBITS(8)
2
3
4

NAME

6       ipsec_newhostkey - generate a new raw RSA authentication key for a host
7

SYNOPSIS

9       ipsec newhostkey [[--configdirnssdbdir] | [--password password]]
10             [[--quiet] | [--verbose]] [--bits bits] [--seeddev device]
11             [--hostname hostname] [--output filename]
12

DESCRIPTION

14       newhostkey outputs (into filename, which can be ´-´ for standard
15       output) an RSA private key suitable for this host, in
16       /etc/ipsec.secrets format (see ipsec.secrets(5)) using the --quiet
17       option per default.
18
19       The --output option is mandatory. The specified filename is created
20       under umask 077 if nonexistent; if it already exists and is non-empty,
21       a warning message about that is sent to standard error, and the output
22       is appended to the file.
23
24       The --quiet option suppresses both the rsasigkey narrative and the
25       existing-file warning message.
26
27       When compiled with NSS support (the default), --configdir specifies the
28       nss configuration directory where the certificate key, and modsec
29       databases reside. There is no default value, though /etc/ipsec.d might
30       be sensible choice.
31
32       When compiled with NSS support (the default), --password specifies a
33       module authentication password that may be required if FIPS mode is
34       enabled
35
36       The --bits option specifies the number of bits in the RSA key; the
37       current default is a random (multiple of 16) value between 3072 and
38       4096. The minimum allowed is 2192.
39
40       The --seeddev is used to specify the random device (default /dev/random
41       used to seed the crypto library RNG.
42
43       The --hostname option is passed through to rsasigkey to tell it what
44       host name to label the output with (via its --hostname option).
45
46       The output format is that of rsasigkey, with bracketing added to
47       complete the ipsec.secrets format. In the usual case, where
48       ipsec.secrets contains only the hostâs own private key, the output of
49       newhostkey is sufficient as a complete ipsec.secrets file.
50

FILES

52       /dev/random, /dev/urandom
53

HISTORY

58       Originally written for the Linux FreeS/WAN project
59       <http://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters
60

BUGS

62       As with rsasigkey, the run time is difficult to predict, since
63       depletion of the systemâs randomness pool can cause arbitrarily long
64       waits for random bits for seeding the NSS library, and the prime-number
65       searches can also take unpredictable (and potentially large) amounts of
66       CPU time. See ipsec_rsasigkey(8) .
67
68       A higher-level tool which could handle the clerical details of changing
69       to a new key would be helpful.
70

AUTHOR

72       Paul Wouters
73           placeholder to suppress warning
74
75
76
77libreswan                         10/04/2017                  IPSEC_RANBITS(8)