bin/pkcs11/pkcs11-keygen.docbook

a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont<!--
bc6f4c1c4c1b739fd06d2de05b77b9d08c4d8a5aTinderbox User - Copyright (C) 2009, 2014-2017  Internet Systems Consortium, Inc. ("ISC")
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont-->
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- Converted by db4-upgrade version 1.0 -->
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <date>2014-01-15</date>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </info>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  <refentryinfo>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <corpname>ISC</corpname>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  </refentryinfo>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  <refmeta>
474faea7dd5ebbf64e0a34d70f4deb2e3f413de6Jeremy C. Reed    <refentrytitle><application>pkcs11-keygen</application></refentrytitle>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <manvolnum>8</manvolnum>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <refmiscinfo>BIND9</refmiscinfo>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  </refmeta>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  <refnamediv>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <refname><application>pkcs11-keygen</application></refname>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt    <refpurpose>generate keys on a PKCS#11 device</refpurpose>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  </refnamediv>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  <docinfo>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <copyright>
bf0266f286c9350f6579d03cc74429433d8e6381Tinderbox User      <year>2009</year>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User      <year>2014</year>
19c7b1a0293498a3e36692c59646ed6e15ffc8d0Tinderbox User      <year>2015</year>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews      <year>2016</year>
bc6f4c1c4c1b739fd06d2de05b77b9d08c4d8a5aTinderbox User      <year>2017</year>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    </copyright>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  </docinfo>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <cmdsynopsis sepchar=" ">
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <command>pkcs11-keygen</command>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="req" rep="norepeat">-a <replaceable class="parameter">algorithm</replaceable></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-e</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">id</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-P</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-S</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="req" rep="norepeat">label</arg>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    </cmdsynopsis>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  </refsynopsisdiv>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>DESCRIPTION</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <command>pkcs11-keygen</command> causes a PKCS#11 device to generate
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      a new key pair with the given <option>label</option> (which must be
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      unique) and with <option>keysize</option> bits of prime.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>ARGUMENTS</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <variablelist>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Specify the key algorithm class: Supported classes are RSA,
78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont            DSA, DH, ECC and ECX. In addition to these strings, the
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            <option>algorithm</option> can be specified as a DNSSEC
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            signing algorithm that will be used with this key; for
78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont            example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont            to ECC, and ED25519 to ECX.  The default class is "RSA".
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-b <replaceable class="parameter">keysize</replaceable></term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Create the key pair with <option>keysize</option> bits of
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            prime. For ECC keys, the only valid values are 256 and 384,
78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont            and the default is 256. For ECX kyes, the only valid values
78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont            are 256 and 456, and the default is 256.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-e</term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            For RSA keys only, use a large exponent.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-i <replaceable class="parameter">id</replaceable></term>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont        <listitem>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Create key objects with id. The id is either
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            an unsigned short 2 byte or an unsigned long 4 byte number.
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont          </para>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont        </listitem>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont      </varlistentry>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-m <replaceable class="parameter">module</replaceable></term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Specify the PKCS#11 provider module.  This must be the full
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            path to a shared library object implementing the PKCS#11 API
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            for the device.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-P</term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Set the new private key to be non-sensitive and extractable.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            The allows the private key data to be read from the PKCS#11
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            device.  The default is for private keys to be sensitive and
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            non-extractable.
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont          </para>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont        </listitem>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont      </varlistentry>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-p <replaceable class="parameter">PIN</replaceable></term>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont        <listitem>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Specify the PIN for the device.  If no PIN is provided on
474faea7dd5ebbf64e0a34d70f4deb2e3f413de6Jeremy C. Reed            the command line, <command>pkcs11-keygen</command> will
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            prompt for it.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
a7d4d528749aa403397b3e2260abf2046a0cfa7bMark Andrews        <term>-q</term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Quiet mode: suppress unnecessary output.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-S</term>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            For Diffie-Hellman (DH) keys only, use a special prime of
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            768, 1024 or 1536 bit size and base (aka generator) 2.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        If not specified, bit size will default to 1024.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          </para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        </listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-s <replaceable class="parameter">slot</replaceable></term>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Open the session with the given PKCS#11 slot.  The default is
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            slot 0.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          </para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        </listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>SEE ALSO</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      <citerefentry>
b0af7cbe9220775e23127f2f38750e4a281ee871Jeremy C. Reed        <refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </citerefentry>,
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      <citerefentry>
b0af7cbe9220775e23127f2f38750e4a281ee871Jeremy C. Reed        <refentrytitle>pkcs11-list</refentrytitle><manvolnum>8</manvolnum>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </citerefentry>,
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <citerefentry>
b0af7cbe9220775e23127f2f38750e4a281ee871Jeremy C. Reed        <refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </citerefentry>,
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <citerefentry>
b0af7cbe9220775e23127f2f38750e4a281ee871Jeremy C. Reed        <refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>8</manvolnum>
b0af7cbe9220775e23127f2f38750e4a281ee871Jeremy C. Reed      </citerefentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</refentry>