bin/pkcs11/pkcs11-keygen.8

	pkcs11-keygen.8 revision 5347c0fcb04eaea19d9f39795646239f487c6207
 Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")

 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
 file, You can obtain one at http://mozilla.org/MPL/2.0/.

 t
 Title: pkcs11-keygen
 Author:
 Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
 Date: 2014-01-15
 Manual: BIND9
 Source: ISC
 Language: English

 "PKCS11-KEYGEN" "8" "2014-01-15" "ISC" "BIND9"
 -----------------------------------------------------------------
 * Define some portability stuff
 -----------------------------------------------------------------
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 http://bugs.debian.org/507673
 http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 -----------------------------------------------------------------
 * set default formatting
 -----------------------------------------------------------------
 disable hyphenation
 disable justification (adjust text to left margin only)
 -----------------------------------------------------------------
 * MAIN CONTENT STARTS HERE *
 -----------------------------------------------------------------
 "NAME"
pkcs11-keygen - generate keys on a PKCS#11 device
 "SYNOPSIS"
 \w'pkcs11-keygen 'u
pkcs11-keygen {-a algorithm} [-b keysize] [-e] [-i id] [-m module] [-P] [-p PIN] [-q] [-S] [-s slot] {label}
 "DESCRIPTION"

pkcs11-keygen
causes a PKCS#11 device to generate a new key pair with the given
label
(which must be unique) and with
keysize
bits of prime.
 "ARGUMENTS"

-a algorithm

Specify the key algorithm class: Supported classes are RSA, DSA, DH, and ECC. In addition to these strings, the
algorithm
can be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps to ECC. The default class is "RSA".


-b keysize

Create the key pair with
keysize
bits of prime. For ECC keys, the only valid values are 256 and 384, and the default is 256.


-e

For RSA keys only, use a large exponent.


-i id

Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.


-m module

Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.


-P

Set the new private key to be non-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non-extractable.


-p PIN

Specify the PIN for the device. If no PIN is provided on the command line,
pkcs11-keygen
will prompt for it.


-q

Quiet mode: suppress unnecessary output.


-S

For Diffie-Hellman (DH) keys only, use a special prime of 768, 1024 or 1536 bit size and base (aka generator) 2. If not specified, bit size will default to 1024.


-s slot

Open the session with the given PKCS#11 slot. The default is slot 0.

 "SEE ALSO"

pkcs11-destroy(8),
pkcs11-list(8),
pkcs11-tokens(8),
dnssec-keyfromlabel(8)
 "AUTHOR"

Internet Systems Consortium, Inc.
 "COPYRIGHT"

Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")