1IPSEC_NEWHOSTKEY(8) Executable programs IPSEC_NEWHOSTKEY(8)
2
3
4
6 ipsec_newhostkey - generate a new raw RSA authentication key for a host
7
9 ipsec newhostkey [[--quiet] | [--verbose]] [--nssdirnssdir]
10 [--password password] [--bits bits] [--curve curve]
11 [--keytype rsa|ecdsa] [--seeddev device]
12
14 newhostkey generates an RSA public/private key pair suitable for
15 authenticating this host is generated and stored in the NSS database.
16
17 See ipsec_showhostkey(8) for how to extract the public key from the NSS
18 database.
19
20 Output Options
21 --quiet
22 The --quiet option suppresses both the rsasigkey narrative and the
23 existing-file warning message.
24
25 --nssdir nssdir
26 The --nssdir option specifies the NSS DB directory where the
27 certificate key, and modsec databases reside (default
28 /var/lib/ipsec/nss)
29
30 --password password
31 The --password option specifies a module authentication password
32 that may be required if FIPS mode is enabled.
33
34 --bits bits
35 The --bits option specifies the number of bits in the RSA key; the
36 current default is a random (multiple of 16) value between 3072 and
37 4096. The minimum allowed is 2192.
38
39 --curve curve
40 The --curve option specifies the named curve used in the ECDSA key;
41 the current default is secp256r1. See ipsec_ecdsasigkey(8) for the
42 available curve names.
43
44 --keytype rsa|ecdsa
45 The --keytype option specifies the type of key, which can either be
46 rsa (RSA) or ecdsa (ECDSA); if omitted the current default is rsa.
47
48 --seeddev device
49 The --seeddev is used to specify the random device (default
50 /dev/random used to seed the crypto library RNG.
51
53 /dev/random, /dev/urandom
54
56 ipsec_rsasigkey(8), ipsec_showhostkey(8), ipsec.secrets(5)
57
59 Originally written for the Linux FreeS/WAN project
60 <https://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters
61
63 As with rsasigkey, the run time is difficult to predict, since
64 depletion of the system's randomness pool can cause arbitrarily long
65 waits for random bits for seeding the NSS library, and the prime-number
66 searches can also take unpredictable (and potentially large) amounts of
67 CPU time. See ipsec_rsasigkey(8) .
68
70 Paul Wouters
71 placeholder to suppress warning
72
73
74
75libreswan 09/05/2023 IPSEC_NEWHOSTKEY(8)