bin/pkcs11/pkcs11-keygen.docbook

	pkcs11-keygen.docbook revision 2eeb74d1cf5355dd98f6d507a10086e16bb08c4b
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont<!--
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User - Copyright (C) 2009, 2014  Internet Systems Consortium, Inc. ("ISC")
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont -
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont - Permission to use, copy, modify, and/or distribute this software for any
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont - purpose with or without fee is hereby granted, provided that the above
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont - copyright notice and this permission notice appear in all copies.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont -
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont-->
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- Converted by db4-upgrade version 1.0 -->
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <date>2014-01-15</date>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </info>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  <refentryinfo>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <corpname>ISC</corpname>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  </refentryinfo>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  <refmeta>
474faea7dd5ebbf64e0a34d70f4deb2e3f413de6Jeremy C. Reed    <refentrytitle><application>pkcs11-keygen</application></refentrytitle>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <manvolnum>8</manvolnum>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <refmiscinfo>BIND9</refmiscinfo>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  </refmeta>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  <refnamediv>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <refname><application>pkcs11-keygen</application></refname>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt    <refpurpose>generate keys on a PKCS#11 device</refpurpose>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  </refnamediv>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  <docinfo>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <copyright>
bf0266f286c9350f6579d03cc74429433d8e6381Tinderbox User      <year>2009</year>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User      <year>2014</year>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    </copyright>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  </docinfo>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <cmdsynopsis sepchar=" ">
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <command>pkcs11-keygen</command>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="req" rep="norepeat">-a <replaceable class="parameter">algorithm</replaceable></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-e</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">id</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-P</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-S</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="req" rep="norepeat">label</arg>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    </cmdsynopsis>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont  </refsynopsisdiv>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>DESCRIPTION</title></info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <command>pkcs11-keygen</command> causes a PKCS#11 device to generate
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      a new key pair with the given <option>label</option> (which must be
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      unique) and with <option>keysize</option> bits of prime.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>ARGUMENTS</title></info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <variablelist>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Specify the key algorithm class: Supported classes are RSA,
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            DSA, DH, and ECC. In addition to these strings, the
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            <option>algorithm</option> can be specified as a DNSSEC
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            signing algorithm that will be used with this key; for
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            to ECC.  The default class is "RSA".
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-b <replaceable class="parameter">keysize</replaceable></term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Create the key pair with <option>keysize</option> bits of
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            prime. For ECC keys, the only valid values are 256 and 384,
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            and the default is 256.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-e</term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            For RSA keys only, use a large exponent.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-i <replaceable class="parameter">id</replaceable></term>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont        <listitem>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Create key objects with id. The id is either
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            an unsigned short 2 byte or an unsigned long 4 byte number.
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont          </para>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont        </listitem>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont      </varlistentry>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-m <replaceable class="parameter">module</replaceable></term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Specify the PKCS#11 provider module.  This must be the full
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            path to a shared library object implementing the PKCS#11 API
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            for the device.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-P</term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Set the new private key to be non-sensitive and extractable.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            The allows the private key data to be read from the PKCS#11
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            device.  The default is for private keys to be sensitive and
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            non-extractable.
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont          </para>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont        </listitem>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont      </varlistentry>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-p <replaceable class="parameter">PIN</replaceable></term>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont        <listitem>
f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2aFrancis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Specify the PIN for the device.  If no PIN is provided on
474faea7dd5ebbf64e0a34d70f4deb2e3f413de6Jeremy C. Reed            the command line, <command>pkcs11-keygen</command> will
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            prompt for it.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <varlistentry>
a7d4d528749aa403397b3e2260abf2046a0cfa7bMark Andrews        <term>-q</term>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        <listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Quiet mode: suppress unnecessary output.
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont          </para>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont        </listitem>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-S</term>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            For Diffie-Hellman (DH) keys only, use a special prime of
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            768, 1024 or 1536 bit size and base (aka generator) 2.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        If not specified, bit size will default to 1024.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          </para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        </listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-s <replaceable class="parameter">slot</replaceable></term>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Open the session with the given PKCS#11 slot.  The default is
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            slot 0.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          </para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        </listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>SEE ALSO</title></info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      <citerefentry>
b0af7cbe9220775e23127f2f38750e4a281ee871Jeremy C. Reed        <refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </citerefentry>,
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      <citerefentry>
b0af7cbe9220775e23127f2f38750e4a281ee871Jeremy C. Reed        <refentrytitle>pkcs11-list</refentrytitle><manvolnum>8</manvolnum>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </citerefentry>,
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <citerefentry>
b0af7cbe9220775e23127f2f38750e4a281ee871Jeremy C. Reed        <refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      </citerefentry>,
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont      <citerefentry>
b0af7cbe9220775e23127f2f38750e4a281ee871Jeremy C. Reed        <refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>8</manvolnum>
b0af7cbe9220775e23127f2f38750e4a281ee871Jeremy C. Reed      </citerefentry>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</refentry>