bin/pkcs11/pkcs11-keygen.docbook

219N/A<!--
219N/A - Copyright (C) 2009, 2014-2017  Internet Systems Consortium, Inc. ("ISC")
219N/A -
219N/A - This Source Code Form is subject to the terms of the Mozilla Public
219N/A - License, v. 2.0. If a copy of the MPL was not distributed with this
219N/A - file, You can obtain one at http://mozilla.org/MPL/2.0/.
219N/A-->
219N/A
219N/A<!-- Converted by db4-upgrade version 1.0 -->
219N/A<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">
219N/A  <info>
219N/A    <date>2014-01-15</date>
219N/A  </info>
219N/A  <refentryinfo>
219N/A    <corpname>ISC</corpname>
219N/A    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
219N/A  </refentryinfo>
219N/A
219N/A  <refmeta>
219N/A    <refentrytitle><application>pkcs11-keygen</application></refentrytitle>
219N/A    <manvolnum>8</manvolnum>
219N/A    <refmiscinfo>BIND9</refmiscinfo>
219N/A  </refmeta>
219N/A
219N/A  <refnamediv>
219N/A    <refname><application>pkcs11-keygen</application></refname>
219N/A    <refpurpose>generate keys on a PKCS#11 device</refpurpose>
219N/A  </refnamediv>
219N/A
219N/A  <docinfo>
618N/A    <copyright>
219N/A      <year>2009</year>
219N/A      <year>2014</year>
219N/A      <year>2015</year>
219N/A      <year>2016</year>
219N/A      <year>2017</year>
219N/A      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
219N/A    </copyright>
219N/A  </docinfo>
219N/A
219N/A  <refsynopsisdiv>
219N/A    <cmdsynopsis sepchar=" ">
219N/A      <command>pkcs11-keygen</command>
219N/A      <arg choice="req" rep="norepeat">-a <replaceable class="parameter">algorithm</replaceable></arg>
219N/A      <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
219N/A      <arg choice="opt" rep="norepeat"><option>-e</option></arg>
219N/A      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">id</replaceable></option></arg>
219N/A      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
219N/A      <arg choice="opt" rep="norepeat"><option>-P</option></arg>
219N/A      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
219N/A      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
219N/A      <arg choice="opt" rep="norepeat"><option>-S</option></arg>
219N/A      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
219N/A      <arg choice="req" rep="norepeat">label</arg>
219N/A    </cmdsynopsis>
219N/A  </refsynopsisdiv>
219N/A
219N/A  <refsection><info><title>DESCRIPTION</title></info>
219N/A
219N/A    <para>
219N/A      <command>pkcs11-keygen</command> causes a PKCS#11 device to generate
219N/A      a new key pair with the given <option>label</option> (which must be
219N/A      unique) and with <option>keysize</option> bits of prime.
219N/A    </para>
219N/A  </refsection>
219N/A
219N/A  <refsection><info><title>ARGUMENTS</title></info>
219N/A
219N/A    <variablelist>
219N/A      <varlistentry>
219N/A        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
219N/A        <listitem>
219N/A          <para>
219N/A            Specify the key algorithm class: Supported classes are RSA,
219N/A            DSA, DH, ECC and ECX. In addition to these strings, the
219N/A            <option>algorithm</option> can be specified as a DNSSEC
219N/A            signing algorithm that will be used with this key; for
219N/A            example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
219N/A            to ECC, and ED25519 to ECX.  The default class is "RSA".
219N/A          </para>
219N/A        </listitem>
219N/A      </varlistentry>
219N/A
219N/A      <varlistentry>
219N/A        <term>-b <replaceable class="parameter">keysize</replaceable></term>
219N/A        <listitem>
219N/A          <para>
219N/A            Create the key pair with <option>keysize</option> bits of
219N/A            prime. For ECC keys, the only valid values are 256 and 384,
219N/A            and the default is 256. For ECX kyes, the only valid values
219N/A            are 256 and 456, and the default is 256.
219N/A          </para>
219N/A        </listitem>
219N/A      </varlistentry>
219N/A
219N/A      <varlistentry>
219N/A        <term>-e</term>
219N/A        <listitem>
219N/A          <para>
219N/A            For RSA keys only, use a large exponent.
219N/A          </para>
219N/A        </listitem>
219N/A      </varlistentry>
219N/A
219N/A      <varlistentry>
219N/A        <term>-i <replaceable class="parameter">id</replaceable></term>
219N/A        <listitem>
219N/A          <para>
219N/A            Create key objects with id. The id is either
219N/A            an unsigned short 2 byte or an unsigned long 4 byte number.
219N/A          </para>
219N/A        </listitem>
219N/A      </varlistentry>
219N/A
219N/A      <varlistentry>
219N/A        <term>-m <replaceable class="parameter">module</replaceable></term>
219N/A        <listitem>
219N/A          <para>
219N/A            Specify the PKCS#11 provider module.  This must be the full
219N/A            path to a shared library object implementing the PKCS#11 API
219N/A            for the device.
219N/A          </para>
219N/A        </listitem>
219N/A      </varlistentry>
219N/A
219N/A      <varlistentry>
219N/A        <term>-P</term>
219N/A        <listitem>
219N/A          <para>
219N/A            Set the new private key to be non-sensitive and extractable.
219N/A            The allows the private key data to be read from the PKCS#11
219N/A            device.  The default is for private keys to be sensitive and
219N/A            non-extractable.
219N/A          </para>
219N/A        </listitem>
219N/A      </varlistentry>
219N/A
219N/A      <varlistentry>
219N/A        <term>-p <replaceable class="parameter">PIN</replaceable></term>
219N/A        <listitem>
219N/A          <para>
219N/A            Specify the PIN for the device.  If no PIN is provided on
219N/A            the command line, <command>pkcs11-keygen</command> will
219N/A            prompt for it.
219N/A          </para>
219N/A        </listitem>
219N/A      </varlistentry>
219N/A
219N/A      <varlistentry>
219N/A        <term>-q</term>
219N/A        <listitem>
219N/A          <para>
219N/A            Quiet mode: suppress unnecessary output.
219N/A          </para>
219N/A        </listitem>
219N/A      </varlistentry>

      <varlistentry>
        <term>-S</term>
        <listitem>
          <para>
            For Diffie-Hellman (DH) keys only, use a special prime of
            768, 1024 or 1536 bit size and base (aka generator) 2.
        If not specified, bit size will default to 1024.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>-s <replaceable class="parameter">slot</replaceable></term>
        <listitem>
          <para>
            Open the session with the given PKCS#11 slot.  The default is
            slot 0.
          </para>
        </listitem>
      </varlistentry>

    </variablelist>
  </refsection>

  <refsection><info><title>SEE ALSO</title></info>

    <para>
      <citerefentry>
        <refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>pkcs11-list</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>
    </para>
  </refsection>

</refentry>