1PKCS11-KEYGEN(8)                    BIND 9                    PKCS11-KEYGEN(8)
2
3
4

NAME

6       pkcs11-keygen - generate keys on a PKCS#11 device
7

SYNOPSIS

9       pkcs11-keygen [-a algorithm] [-b keysize] [-e] [-i id] [-m module] [-P]
10       [-p PIN] [-q] [-S] [-s slot] label
11

DESCRIPTION

13       pkcs11-keygen causes a PKCS#11 device to generate a new key  pair  with
14       the given label (which must be unique) and with keysize bits of prime.
15

OPTIONS

17       -a algorithm
18              This option specifies the key algorithm class: supported classes
19              are RSA, DSA, DH, ECC, and ECX. In addition  to  these  strings,
20              the  algorithm can be specified as a DNSSEC signing algorithm to
21              be used with this key; for example, NSEC3RSASHA1  maps  to  RSA,
22              ECDSAP256SHA256  maps  to  ECC,  and ED25519 to ECX. The default
23              class is RSA.
24
25       -b keysize
26              This option creates the key pair with keysize bits of prime. For
27              ECC keys, the only valid values are 256 and 384, and the default
28              is 256. For ECX keys, the only valid values are 256 and 456, and
29              the default is 256.
30
31       -e     For  RSA  keys  only, this option specifies use of a large expo‐
32              nent.
33
34       -i id  This option creates key objects with id. The ID is either an un‐
35              signed short 2-byte or an unsigned long 4-byte number.
36
37       -m module
38              This  option specifies the PKCS#11 provider module. This must be
39              the full path  to  a  shared  library  object  implementing  the
40              PKCS#11 API for the device.
41
42       -P     This option sets the new private key to be non-sensitive and ex‐
43              tractable, and allows the private key data to be read  from  the
44              PKCS#11  device. The default is for private keys to be sensitive
45              and non-extractable.
46
47       -p PIN This option specifies the PIN for the device. If no PIN is  pro‐
48              vided on the command line, pkcs11-keygen prompts for it.
49
50       -q     This  option  sets quiet mode, which suppresses unnecessary out‐
51              put.
52
53       -S     For Diffie-Hellman (DH) keys only, this option specifies use  of
54              a  special  prime of 768-, 1024-, or 1536-bit size and base (AKA
55              generator) 2. If not specified, bit size defaults to 1024.
56
57       -s slot
58              This option opens the session with the given PKCS#11  slot.  The
59              default is slot 0.
60

SEE ALSO

62       pkcs11-destroy(8),  pkcs11-list(8), pkcs11-tokens(8), dnssec-keyfromla‐
63       bel(8)
64

AUTHOR

66       Internet Systems Consortium
67

COPYRIGHT

69       2022, Internet Systems Consortium
70
71
72
73
749.16.30-RH                                                    PKCS11-KEYGEN(8)