1IPSEC_NEWHOSTKEY(8)           Executable programs          IPSEC_NEWHOSTKEY(8)
2
3
4

NAME

6       ipsec_newhostkey - generate a new raw RSA authentication key for a host
7

SYNOPSIS

9       ipsec newhostkey [[--quiet] | [--verbose]] [--nssdirnssdir]
10             [--password password] [--bits bits] [--curve curve]
11             [--keytype rsa|ecdsa] [--seeddev device]
12

DESCRIPTION

14       newhostkey generates an RSA public/private key pair suitable for
15       authenticating this host is generated and stored in the NSS database.
16
17       See ipsec_showhostkey(8) for how to extract the public key from the NSS
18       database.
19
20   Output Options
21       --quiet
22           The --quiet option suppresses both the rsasigkey narrative and the
23           existing-file warning message.
24
25       --nssdir nssdir
26           The --nssdir option specifies the NSS DB directory where the
27           certificate key, and modsec databases reside (default
28           /var/lib/ipsec/nss)
29
30       --password password
31           The --password option specifies a module authentication password
32           that may be required if FIPS mode is enabled.
33
34       --bits bits
35           The --bits option specifies the number of bits in the RSA key; the
36           current default is a random (multiple of 16) value between 3072 and
37           4096. The minimum allowed is 2192.
38
39       --curve curve
40           The --curve option specifies the named curve used in the ECDSA key;
41           the current default is secp256r1. See ipsec_ecdsasigkey(8) for the
42           available curve names.
43
44       --keytype rsa|ecdsa
45           The --keytype option specifies the type of key, which can either be
46           rsa (RSA) or ecdsa (ECDSA); if omitted the current default is rsa.
47
48       --seeddev device
49           The --seeddev is used to specify the random device (default
50           /dev/random used to seed the crypto library RNG.
51

FILES

53       /dev/random, /dev/urandom
54

SEE ALSO

56       ipsec_rsasigkey(8), ipsec_showhostkey(8), ipsec.secrets(5)
57

HISTORY

59       Originally written for the Linux FreeS/WAN project
60       <https://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters
61

BUGS

63       As with rsasigkey, the run time is difficult to predict, since
64       depletion of the system's randomness pool can cause arbitrarily long
65       waits for random bits for seeding the NSS library, and the prime-number
66       searches can also take unpredictable (and potentially large) amounts of
67       CPU time. See ipsec_rsasigkey(8) .
68

AUTHOR

70       Paul Wouters
71           placeholder to suppress warning
72
73
74
75libreswan                         09/05/2023               IPSEC_NEWHOSTKEY(8)
Impressum