40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence

dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">

dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews <info>

dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews <date>2014-01-15</date>

dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews </info>

dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews <refentryinfo>

dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews <corpname>ISC</corpname>

1633838b8255282d10af15c5c84cee5a51466712Bob Halley <corpauthor>Internet Systems Consortium, Inc.</corpauthor>

d25afd60ee2286cb171c4960a790f3d7041b6f85Bob Halley </refentryinfo>

28a8f5b0de57d269cf2845c69cb6abe18cbd3b3aMark Andrews

ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <refmeta>

ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <refentrytitle><application>pkcs11-keygen</application></refentrytitle>

9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence <manvolnum>8</manvolnum>

d25afd60ee2286cb171c4960a790f3d7041b6f85Bob Halley <refmiscinfo>BIND9</refmiscinfo>

d25afd60ee2286cb171c4960a790f3d7041b6f85Bob Halley </refmeta>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley

72bdbe3c70f415a717f59f72d04590d70acb380eMark Andrews <refnamediv>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <refname><application>pkcs11-keygen</application></refname>

ddfe394c061049bbd71125ad41c3dd3092b2bbfdAndreas Gustafsson <refpurpose>generate keys on a PKCS#11 device</refpurpose>

1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews </refnamediv>

1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence

6cf369f528c4acd8182eada41ad83b8d97623db8Mark Andrews <docinfo>

fca5f81ad69098ea8abba130c7f841c951ef91c2Bob Halley <copyright>

1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence <year>2009</year>

6cf369f528c4acd8182eada41ad83b8d97623db8Mark Andrews <year>2014</year>

364a82f7c25b62967678027043425201a5e5171aBob Halley <year>2015</year>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <year>2016</year>

9192e92f7d0f4e78385a1d5f9b6607cc5bf0e42aBob Halley <holder>Internet Systems Consortium, Inc. ("ISC")</holder>

3f8be559f0871022c78a229bad0eb09560b90909Evan Hunt </copyright>

6d5032f9a23fe1197610114983c9938ac419b20cBrian Wellington </docinfo>

6d5032f9a23fe1197610114983c9938ac419b20cBrian Wellington

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <refsynopsisdiv>

1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence <cmdsynopsis sepchar=" ">

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <command>pkcs11-keygen</command>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg choice="req" rep="norepeat">-a <replaceable class="parameter">algorithm</replaceable></arg>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley <arg choice="opt" rep="norepeat"><option>-e</option></arg>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">id</replaceable></option></arg>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley <arg choice="opt" rep="norepeat"><option>-P</option></arg>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>

cee7525336d4710a64368875d92eb439d4d3efb1Mark Andrews <arg choice="opt" rep="norepeat"><option>-q</option></arg>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley <arg choice="opt" rep="norepeat"><option>-S</option></arg>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley <arg choice="req" rep="norepeat">label</arg>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley </cmdsynopsis>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley </refsynopsisdiv>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley

ecb6c5782ea248307e86c4bceac6c371d27576a6David Lawrence <refsection><info><title>DESCRIPTION</title></info>

95c86af1e92dae4ff837a39e7e2dcb7308dd9cceBob Halley

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <command>pkcs11-keygen</command> causes a PKCS#11 device to generate

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley a new key pair with the given <option>label</option> (which must be

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley unique) and with <option>keysize</option> bits of prime.

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </para>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </refsection>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <refsection><info><title>ARGUMENTS</title></info>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <variablelist>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <term>-a <replaceable class="parameter">algorithm</replaceable></term>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <listitem>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley Specify the key algorithm class: Supported classes are RSA,

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley DSA, DH, ECC and ECX. In addition to these strings, the

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <option>algorithm</option> can be specified as a DNSSEC

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley signing algorithm that will be used with this key; for

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley to ECC, and ED25519 to ECX. The default class is "RSA".

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </para>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </listitem>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </varlistentry>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <term>-b <replaceable class="parameter">keysize</replaceable></term>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <listitem>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley Create the key pair with <option>keysize</option> bits of

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley prime. For ECC keys, the only valid values are 256 and 384,

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley and the default is 256. For ECX kyes, the only valid values

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley are 256 and 456, and the default is 256.

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </para>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </listitem>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </varlistentry>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <term>-e</term>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <listitem>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley For RSA keys only, use a large exponent.

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </para>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </listitem>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </varlistentry>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <term>-i <replaceable class="parameter">id</replaceable></term>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <listitem>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley Create key objects with id. The id is either

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley an unsigned short 2 byte or an unsigned long 4 byte number.

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </para>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </listitem>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </varlistentry>

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley

577179503f2eb7695ec668d8eeb41889a150e28fBob Halley <varlistentry>

577179503f2eb7695ec668d8eeb41889a150e28fBob Halley <term>-m <replaceable class="parameter">module</replaceable></term>

577179503f2eb7695ec668d8eeb41889a150e28fBob Halley <listitem>

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley <para>

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley Specify the PKCS#11 provider module. This must be the full

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley path to a shared library object implementing the PKCS#11 API

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley for the device.

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley </para>

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley </listitem>

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley </varlistentry>

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley <varlistentry>

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley <term>-P</term>

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley <listitem>

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence <para>

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley Set the new private key to be non-sensitive and extractable.

86131d8d7aaf1bb8b8bfc7819985d05ea369b708Bob Halley The allows the private key data to be read from the PKCS#11

ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein device. The default is for private keys to be sensitive and

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley non-extractable.

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley </para>

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley </listitem>

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley </varlistentry>

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley <varlistentry>

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley <term>-p <replaceable class="parameter">PIN</replaceable></term>

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley <listitem>

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley <para>

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley Specify the PIN for the device. If no PIN is provided on

70fdfcd1fa7ebd059deffa9a2cecc29df96dfe52Bob Halley the command line, <command>pkcs11-keygen</command> will

ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein prompt for it.

08c8a934ceb2dfc6a5ebfd3be4ba5a1b3243bc73Bob Halley </para>

08c8a934ceb2dfc6a5ebfd3be4ba5a1b3243bc73Bob Halley </listitem>

08c8a934ceb2dfc6a5ebfd3be4ba5a1b3243bc73Bob Halley </varlistentry>

08c8a934ceb2dfc6a5ebfd3be4ba5a1b3243bc73Bob Halley

08c8a934ceb2dfc6a5ebfd3be4ba5a1b3243bc73Bob Halley <varlistentry>

08c8a934ceb2dfc6a5ebfd3be4ba5a1b3243bc73Bob Halley <term>-q</term>

08c8a934ceb2dfc6a5ebfd3be4ba5a1b3243bc73Bob Halley <listitem>

ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <para>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson Quiet mode: suppress unnecessary output.

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson </para>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson </listitem>

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence </varlistentry>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson <varlistentry>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson <term>-S</term>

e672951ed28b2e9cc7a19c3d7fa4a258382f981cAutomatic Updater <listitem>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson <para>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson For Diffie-Hellman (DH) keys only, use a special prime of

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson 768, 1024 or 1536 bit size and base (aka generator) 2.

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson If not specified, bit size will default to 1024.

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson </para>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson </listitem>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson </varlistentry>

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence

c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence <term>-s <replaceable class="parameter">slot</replaceable></term>

e61793f0865117ad87a19d6e245bea8f3b712d1bDanny Mayer <listitem>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson <para>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson Open the session with the given PKCS#11 slot. The default is

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson slot 0.

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson </para>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson </listitem>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson </varlistentry>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson </variablelist>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson </refsection>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson <refsection><info><title>SEE ALSO</title></info>

4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson

5f120ce962b03e4dcf6f1974b9b896f0fa7cacb0Bob Halley <para>

5f120ce962b03e4dcf6f1974b9b896f0fa7cacb0Bob Halley <citerefentry>

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence <refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>

e61793f0865117ad87a19d6e245bea8f3b712d1bDanny Mayer </citerefentry>,

5f120ce962b03e4dcf6f1974b9b896f0fa7cacb0Bob Halley <citerefentry>

d6fe7ba94969ee51a3f4298a735fbc6e11691ad8Mark Andrews <refentrytitle>pkcs11-list</refentrytitle><manvolnum>8</manvolnum>

d6fe7ba94969ee51a3f4298a735fbc6e11691ad8Mark Andrews </citerefentry>,

d6fe7ba94969ee51a3f4298a735fbc6e11691ad8Mark Andrews <citerefentry>

6cf369f528c4acd8182eada41ad83b8d97623db8Mark Andrews <refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>

6cf369f528c4acd8182eada41ad83b8d97623db8Mark Andrews </citerefentry>,

6cf369f528c4acd8182eada41ad83b8d97623db8Mark Andrews <citerefentry>

6cf369f528c4acd8182eada41ad83b8d97623db8Mark Andrews <refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>8</manvolnum>

ed6ca94ad75353d5344e2a456e7a8beb480a351fMark Andrews </citerefentry>

ed6ca94ad75353d5344e2a456e7a8beb480a351fMark Andrews </para>

ed6ca94ad75353d5344e2a456e7a8beb480a351fMark Andrews </refsection>

6cf369f528c4acd8182eada41ad83b8d97623db8Mark Andrews

030aafe4114875ff659fcf83db6d05846470fb3eMark Andrews</refentry>

6cf369f528c4acd8182eada41ad83b8d97623db8Mark Andrews