1PKI --GEN(1) strongSwan PKI --GEN(1)
2
3
4
6 pki --gen - Generate a new RSA or ECDSA private key
7
9 pki --gen [--type type] [--size bits] [--safe-primes] [--shares n]
10 [--threshold l] [--outform encoding] [--debug level]
11
12 pki --gen --options file
13
14 pki --gen -h | --help
15
17 This sub-command of pki(1) is used to generate a new RSA or ECDSA pri‐
18 vate key.
19
21 -h, --help
22 Print usage information with a summary of the available options.
23
24 -v, --debug level
25 Set debug level, default: 1.
26
27 -+, --options file
28 Read command line options from file.
29
30 -t, --type type
31 Type of key to generate. Either rsa, ecdsa, ed25519, ed448 or
32 bliss, defaults to rsa.
33
34 -s, --size bits
35 Key length in bits. Defaults to 2048 for rsa and 384 for ecdsa.
36 For ecdsa only three values are currently supported: 256, 384
37 and 521.
38
39 -p, --safe-primes
40 Generate RSA safe primes.
41
42 -f, --outform encoding
43 Encoding of the generated private key. Either der (ASN.1 DER) or
44 pem (Base64 PEM), defaults to der.
45
46 RSA Threshold Cryptography
47 -n, --shares <n>
48 Number of private RSA key shares.
49
50 -l, --threshold <l>
51 Minimum number of participating RSA key shares.
52
54 If the gmp plugin is used to generate RSA private keys the key material
55 is read from /dev/random (via the random plugin). Therefore, the com‐
56 mand may block if the system's entropy pool is empty. To avoid this,
57 either use a hardware random number generator to feed /dev/random or
58 use OpenSSL (via the openssl plugin or the command line) which is not
59 as strict in regards to the quality of the key material (it reads from
60 /dev/urandom if necessary). It is also possible to configure the de‐
61 vices used by the random plugin in strongswan.conf(5). Setting lib‐
62 strongswan.plugins.random.random to /dev/urandom forces the plugin to
63 treat bytes read from /dev/urandom as high grade random data, thus
64 avoiding the blocking. Of course, this doesn't change the fact that the
65 key material generated this way is of lower quality.
66
68 pki --gen --size 3072 > rsa_key.der
69 Generates a 3072-bit RSA private key.
70
71 pki --gen --type ecdsa --size 256 > ecdsa_key.der
72 Generates a 256-bit ECDSA private key.
73
75 pki(1)
76
77
78
795.9.9 2016-12-13 PKI --GEN(1)