pkcs11-keygen.8 3.46 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1 2
.\" Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
.\" 
Francis Dupont's avatar
regen  
Francis Dupont committed
3 4 5
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
Evan Hunt's avatar
Evan Hunt committed
6
.\" 
Francis Dupont's avatar
regen  
Francis Dupont committed
7 8
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
Evan Hunt's avatar
Evan Hunt committed
9
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
Francis Dupont's avatar
regen  
Francis Dupont committed
10 11 12 13 14
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
Evan Hunt's avatar
Evan Hunt committed
15
.\" $Id$
Francis Dupont's avatar
regen  
Francis Dupont committed
16 17 18
.\"
.hy 0
.ad l
Evan Hunt's avatar
Evan Hunt committed
19
.\"     Title: pkcs11\-ecgen
Francis Dupont's avatar
regen  
Francis Dupont committed
20 21
.\"    Author: 
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
Evan Hunt's avatar
Evan Hunt committed
22
.\"      Date: Feb 30, 2012
Francis Dupont's avatar
regen  
Francis Dupont committed
23 24 25
.\"    Manual: BIND9
.\"    Source: BIND9
.\"
Evan Hunt's avatar
Evan Hunt committed
26
.TH "PKCS11\-ECGEN" "8" "Feb 30, 2012" "BIND9" "BIND9"
Francis Dupont's avatar
regen  
Francis Dupont committed
27 28 29 30 31
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
Evan Hunt's avatar
Evan Hunt committed
32
pkcs11\-keygen \- generate keys on a PKCS#11 device
Francis Dupont's avatar
regen  
Francis Dupont committed
33 34
.SH "SYNOPSIS"
.HP 14
Evan Hunt's avatar
Evan Hunt committed
35
\fBpkcs11\-keygen\fR {\-a\ \fIalgorithm\fR} [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-e\fR] [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-P\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR] [\fB\-q\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {label}
Francis Dupont's avatar
regen  
Francis Dupont committed
36 37 38
.SH "DESCRIPTION"
.PP
\fBpkcs11\-keygen\fR
Evan Hunt's avatar
Evan Hunt committed
39
causes a PKCS#11 device to generate a new key pair with the given
Francis Dupont's avatar
regen  
Francis Dupont committed
40
\fBlabel\fR
Evan Hunt's avatar
Evan Hunt committed
41
(which must be unique) and with
Francis Dupont's avatar
regen  
Francis Dupont committed
42
\fBkeysize\fR
Evan Hunt's avatar
Evan Hunt committed
43
bits of prime.
Francis Dupont's avatar
regen  
Francis Dupont committed
44 45
.SH "ARGUMENTS"
.PP
Evan Hunt's avatar
Evan Hunt committed
46
\-a \fIalgorithm\fR
Francis Dupont's avatar
regen  
Francis Dupont committed
47
.RS 4
Evan Hunt's avatar
Evan Hunt committed
48 49 50
Specify the key algorithm class: Supported classes are RSA, DSA, DH, and ECC. In addition to these strings, the
\fBalgorithm\fR
can be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps to ECC. The default class is "RSA".
Francis Dupont's avatar
regen  
Francis Dupont committed
51 52
.RE
.PP
Evan Hunt's avatar
Evan Hunt committed
53
\-b \fIkeysize\fR
Francis Dupont's avatar
regen  
Francis Dupont committed
54
.RS 4
Evan Hunt's avatar
Evan Hunt committed
55 56 57
Create the key pair with
\fBkeysize\fR
bits of prime. For ECC keys, the only valid values are 256 and 384, and the default is 256.
Francis Dupont's avatar
regen  
Francis Dupont committed
58 59
.RE
.PP
Francis Dupont's avatar
regen  
Francis Dupont committed
60 61
\-e
.RS 4
Evan Hunt's avatar
Evan Hunt committed
62
For RSA keys only, use a large exponent.
Francis Dupont's avatar
regen  
Francis Dupont committed
63 64
.RE
.PP
Evan Hunt's avatar
Evan Hunt committed
65
\-i \fIid\fR
Francis Dupont's avatar
regen  
Francis Dupont committed
66
.RS 4
Evan Hunt's avatar
Evan Hunt committed
67
Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.
Francis Dupont's avatar
regen  
Francis Dupont committed
68 69
.RE
.PP
Evan Hunt's avatar
Evan Hunt committed
70
\-m \fImodule\fR
Francis Dupont's avatar
regen  
Francis Dupont committed
71
.RS 4
Evan Hunt's avatar
Evan Hunt committed
72
Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
Francis Dupont's avatar
regen  
Francis Dupont committed
73 74
.RE
.PP
Evan Hunt's avatar
Evan Hunt committed
75
\-P
Francis Dupont's avatar
regen  
Francis Dupont committed
76
.RS 4
Evan Hunt's avatar
Evan Hunt committed
77
Set the new private key to be non\-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non\-extractable.
Francis Dupont's avatar
regen  
Francis Dupont committed
78 79 80 81 82
.RE
.PP
\-p \fIPIN\fR
.RS 4
Specify the PIN for the device. If no PIN is provided on the command line,
Evan Hunt's avatar
Evan Hunt committed
83
\fBpkcs11\-ecgen\fR
Francis Dupont's avatar
regen  
Francis Dupont committed
84 85
will prompt for it.
.RE
Evan Hunt's avatar
Evan Hunt committed
86 87 88 89 90 91 92 93 94 95 96 97 98 99 100
.PP
\-e
.RS 4
Quiet mode: suppress unnecessary output.
.RE
.PP
\-S
.RS 4
For Diffie\-Hellman (DH) keys only, use a special prime of 768, 1024 or 1536 bit size and base (aka generator) 2. If not specified, bit size will default to 1024.
.RE
.PP
\-s \fIslot\fR
.RS 4
Open the session with the given PKCS#11 slot. The default is slot 0.
.RE
Francis Dupont's avatar
regen  
Francis Dupont committed
101 102
.SH "SEE ALSO"
.PP
Evan Hunt's avatar
Evan Hunt committed
103 104
\fBpkcs11\-rsagen\fR(3),
\fBpkcs11\-dsagen\fR(3),
Francis Dupont's avatar
regen  
Francis Dupont committed
105
\fBpkcs11\-list\fR(3),
Francis Dupont's avatar
regen  
Francis Dupont committed
106 107
\fBpkcs11\-destroy\fR(3),
\fBdnssec\-keyfromlabel\fR(3),
Francis Dupont's avatar
regen  
Francis Dupont committed
108 109 110 111
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Evan Hunt's avatar
Evan Hunt committed
112
Copyright \(co 2012 Internet Systems Consortium, Inc. ("ISC")
Francis Dupont's avatar
regen  
Francis Dupont committed
113
.br