1PKI --GEN(1)                      strongSwan                      PKI --GEN(1)
2
3
4

NAME

6       pki --gen - Generate a new RSA or ECDSA private key
7

SYNOPSIS

9       pki --gen [--type type] [--size bits] [--safe-primes] [--shares n]
10                 [--threshold l] [--outform encoding] [--debug level]
11
12       pki --gen --options file
13
14       pki --gen -h | --help
15

DESCRIPTION

17       This sub-command of pki(1) is used to generate a new RSA or ECDSA  pri‐
18       vate key.
19

OPTIONS

21       -h, --help
22              Print usage information with a summary of the available options.
23
24       -v, --debug level
25              Set debug level, default: 1.
26
27       -+, --options file
28              Read command line options from file.
29
30       -t, --type type
31              Type of key to generate. Either rsa or ecdsa, defaults to rsa.
32
33       -s, --size bits
34              Key  length in bits. Defaults to 2048 for rsa and 384 for ecdsa.
35              For ecdsa only three values are currently  supported:  256,  384
36              and 521.
37
38       -p, --safe-primes
39              Generate RSA safe primes.
40
41       -f, --outform encoding
42              Encoding of the generated private key. Either der (ASN.1 DER) or
43              pem (Base64 PEM), defaults to der.
44
45   RSA Threshold Cryptography
46       -n, --shares <n>
47              Number of private RSA key shares.
48
49       -l, --threshold <l>
50              Minimum number of participating RSA key shares.
51

PROBLEMS ON HOSTS WITH LOW ENTROPY

53       If the gmp plugin is used to generate RSA private keys the key material
54       is  read  from /dev/random (via the random plugin). Therefore, the com‐
55       mand may block if the system's entropy pool is empty.  To  avoid  this,
56       either  use  a  hardware random number generator to feed /dev/random or
57       use OpenSSL (via the openssl plugin or the command line) which  is  not
58       as  strict in regards to the quality of the key material (it reads from
59       /dev/urandom if necessary).  It  is  also  possible  to  configure  the
60       devices  used by the random plugin in strongswan.conf(5).  Setting lib‐
61       strongswan.plugins.random.random to /dev/urandom forces the  plugin  to
62       treat  bytes  read  from  /dev/urandom  as high grade random data, thus
63       avoiding the blocking. Of course, this doesn't change the fact that the
64       key material generated this way is of lower quality.
65

EXAMPLES

67       pki --gen --size 3072 > rsa_key.der
68              Generates a 3072-bit RSA private key.
69
70       pki --gen --type ecdsa --size 256 > ecdsa_key.der
71              Generates a 256-bit ECDSA private key.
72

SEE ALSO

74       pki(1)
75
76
77
785.2.0                             2013-07-31                      PKI --GEN(1)
Impressum