1IPSEC_RANBITS(8) [FIXME: manual] IPSEC_RANBITS(8)
2
6 ipsec_newhostkey - generate a new raw RSA authentication key for a host
7
9 ipsec newhostkey [[--configdiranssdbdir] | [--password password]]
10 [[--quiet] | [--verbose]] [--bits bits] [--hostname hostname]
11 --output filename
12
14 newhostkey outputs (into filename, which can be ´-´ for standard
15 output) an RSA private key suitable for this host, in
16 /etc/ipsec.secrets format (see ipsec.secrets(5)) using the --quiet
17 option per default.
18 The --output option is mandatory. The specified filename is created
20 under umask 077 if nonexistent; if it already exists and is non-empty,
21 a warning message about that is sent to standard error, and the output
22 is appended to the file.
23 The --quiet option suppresses both the rsasigkey narrative and the
25 existing-file warning message.
26 When compiled with NSS support, --configdir specifies the nss
28 configuration directory where the certificate key, and modsec databases
29 reside. There is no default value, though /etc/ipsec.d might be
30 sensible choice.
31 When compiled with NSS support, --password specifies a module
33 authentication password that may be required if FIPS mode is enabled
34 The --bits option specifies the number of bits in the key; the current
36 default is 2192 and we do not recommend use of anything shorter unless
37 unusual constraints demand it.
38 The --hostname option is passed through to rsasigkey to tell it what
40 host name to label the output with (via its --hostname option).
41 The output format is that of rsasigkey, with bracketing added to
43 complete the ipsec.secrets format. In the usual case, where
44 ipsec.secrets contains only the hostâs own private key, the output of
45 newhostkey is sufficient as a complete ipsec.secrets file.
46
48 /dev/random, /dev/urandom
49
51 ipsec_rsasigkey(8), ipsec.secrets(5)
52
54 Written for the Linux FreeS/WAN project <http://www.freeswan.org> by
55 Henry Spencer.
56
58 As with rsasigkey, the run time is difficult to predict, since
59 depletion of the systemâs randomness pool can cause arbitrarily long
60 waits for random bits, and the prime-number searches can also take
61 unpre dictable (and potentially large) amounts of CPU time. See
62 ipsec_rsasigkey(8) for some typical performance numbers.
63 A higher-level tool which could handle the clerical details of changing
65 to a new key would be helpful.
66 The requirement for --output is a blemish, but private keys are
68 extremely sensitive information and unusual precautions seem justified.
69[FIXME: source] 10/06/2010 IPSEC_RANBITS(8)