1PKCS11-KEYGEN(8) BIND 9 PKCS11-KEYGEN(8)
2
3
4
6 pkcs11-keygen - generate keys on a PKCS#11 device
7
9 pkcs11-keygen [-a algorithm] [-b keysize] [-e] [-i id] [-m module] [-P]
10 [-p PIN] [-q] [-S] [-s slot] label
11
13 pkcs11-keygen causes a PKCS#11 device to generate a new key pair with
14 the given label (which must be unique) and with keysize bits of prime.
15
17 -a algorithm
18 This option specifies the key algorithm class: supported classes
19 are RSA, DSA, DH, ECC, and ECX. In addition to these strings,
20 the algorithm can be specified as a DNSSEC signing algorithm to
21 be used with this key; for example, NSEC3RSASHA1 maps to RSA,
22 ECDSAP256SHA256 maps to ECC, and ED25519 to ECX. The default
23 class is RSA.
24
25 -b keysize
26 This option creates the key pair with keysize bits of prime. For
27 ECC keys, the only valid values are 256 and 384, and the default
28 is 256. For ECX keys, the only valid values are 256 and 456, and
29 the default is 256.
30
31 -e For RSA keys only, this option specifies use of a large expo‐
32 nent.
33
34 -i id This option creates key objects with id. The ID is either an un‐
35 signed short 2-byte or an unsigned long 4-byte number.
36
37 -m module
38 This option specifies the PKCS#11 provider module. This must be
39 the full path to a shared library object implementing the
40 PKCS#11 API for the device.
41
42 -P This option sets the new private key to be non-sensitive and ex‐
43 tractable, and allows the private key data to be read from the
44 PKCS#11 device. The default is for private keys to be sensitive
45 and non-extractable.
46
47 -p PIN This option specifies the PIN for the device. If no PIN is pro‐
48 vided on the command line, pkcs11-keygen prompts for it.
49
50 -q This option sets quiet mode, which suppresses unnecessary out‐
51 put.
52
53 -S For Diffie-Hellman (DH) keys only, this option specifies use of
54 a special prime of 768-, 1024-, or 1536-bit size and base (AKA
55 generator) 2. If not specified, bit size defaults to 1024.
56
57 -s slot
58 This option opens the session with the given PKCS#11 slot. The
59 default is slot 0.
60
62 pkcs11-destroy(8), pkcs11-list(8), pkcs11-tokens(8), dnssec-keyfromla‐
63 bel(8)
64
66 Internet Systems Consortium
67
69 2022, Internet Systems Consortium
70
71
72
73
749.16.30-RH PKCS11-KEYGEN(8)