1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>IPSEC-NEWHOSTKEY</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class='date'>6 Sep 2013</refmiscinfo>
<refmiscinfo class="source">Libreswan</refmiscinfo>
<refmiscinfo class="version">@@IPSECVERSION@@</refmiscinfo>
<refmiscinfo class="manual">Executable programs</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>ipsec-newhostkey</refname>
<refpurpose>generate a new raw RSA authentication key for a host</refpurpose>
</refnamediv>
<!-- body begins here -->
<refsynopsisdiv id='synopsis'>
<cmdsynopsis>
<command>ipsec</command>
<arg choice='plain'><replaceable>newhostkey</replaceable></arg>
<group choice='opt'>
<arg choice='opt'>--quiet </arg>
<arg choice='opt'>--verbose </arg>
</group>
<arg choice='opt'>--nssdir<replaceable>nssdir</replaceable></arg>
<arg choice='opt'>--password <replaceable>password</replaceable></arg>
<arg choice='opt'>--bits <replaceable>bits</replaceable></arg>
<arg choice='opt'>--curve <replaceable>curve</replaceable></arg>
<arg choice='opt'>--keytype <replaceable>rsa|ecdsa</replaceable></arg>
<arg choice='opt'>--seeddev <replaceable>device</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
<command>newhostkey</command> generates an RSA
public/private key pair suitable for authenticating this host is
generated and stored in the NSS database.
</para>
<para>
See <citerefentry><refentrytitle>ipsec-showhostkey</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for how to extract the public key from the NSS database.
</para>
<refsect2>
<title>Output Options</title>
<variablelist>
<varlistentry>
<term>
<option>--quiet</option>
</term>
<listitem>
<para>
The <option>--quiet</option> option suppresses both
the <command>rsasigkey</command> narrative and
the existing-file warning message.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--nssdir <filename><replaceable>@@IPSEC_NSSDIR@@</replaceable></filename></option>
</term>
<listitem>
<para>
The <option>--nssdir</option> option specifies the NSS DB
directory where the certificate key, and modsec databases reside
(default <filename>@@IPSEC_NSSDIR@@</filename>)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--password <replaceable>password</replaceable></option>
</term>
<listitem>
<para>
The <option>--password</option> option specifies a
module authentication <replaceable>password</replaceable>
that may be required if FIPS mode is enabled.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--bits <replaceable>bits</replaceable></option>
</term>
<listitem>
<para>
The <option>--bits</option> option specifies the
number of bits in the RSA key; the current default is a
random (multiple of 16) value between 3072 and 4096. The
minimum allowed is 2192.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--curve <replaceable>curve</replaceable></option>
</term>
<listitem>
<para>
The <option>--curve</option> option specifies the named curve
used in the ECDSA key; the current default is secp256r1.
See <citerefentry><refentrytitle>ipsec-ecdsasigkey</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for the available curve names.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--keytype <replaceable>rsa|ecdsa</replaceable></option>
</term>
<listitem>
<para>
The <option>--keytype</option> option specifies the type of key,
which can either be <emphasis>rsa</emphasis> (RSA)
or <emphasis>ecdsa</emphasis> (ECDSA);
if omitted the current default is <emphasis>rsa</emphasis>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--seeddev <replaceable>device</replaceable></option>
</term>
<listitem>
<para>
The <option>--seeddev</option> is used to specify the
random device (default <filename>/dev/random</filename> used
to seed the crypto library RNG.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
</refsect1>
<refsect1 id='files'>
<title>FILES</title>
<para>/dev/random, /dev/urandom</para>
</refsect1>
<refsect1 id='see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry><refentrytitle>ipsec-rsasigkey</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>ipsec-showhostkey</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>ipsec.secrets</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>
<refsect1 id='history'>
<title>HISTORY</title>
<para>Originally written for the Linux FreeS/WAN project
<<ulink url='https://www.freeswan.org'>https://www.freeswan.org</ulink>>
by Henry Spencer. Updated by Paul Wouters</para>
</refsect1>
<refsect1 id='bugs'>
<title>BUGS</title>
<para>
As with <command>rsasigkey</command>, the run time is
difficult to predict, since depletion of the system's randomness pool
can cause arbitrarily long waits for random bits for seeding the NSS
library, and the prime-number searches can also take unpredictable
(and potentially large) amounts of CPU time.
See <citerefentry><refentrytitle>ipsec-rsasigkey</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para>
</refsect1>
<refsect1 id='author'>
<title>AUTHOR</title>
<para>
<author><personname><firstname>Paul</firstname><surname>Wouters</surname></personname></author>
</para>
</refsect1>
</refentry>
|
