pkcs11-keygen.docbook revision ba751492fcc4f161a18b983d4f018a1a52938cb9
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
5fa46bc91672ef5737aee6f99763161511566c24Tinderbox User "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews [<!ENTITY mdash "—">]>
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington - Permission to use, copy, modify, and/or distribute this software for any
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington - purpose with or without fee is hereby granted, provided that the above
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington - PERFORMANCE OF THIS SOFTWARE.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<!-- $Id$ -->
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <refentryinfo>
f4b4e7c16211137332e50bcad3fef0d15639a4f1Brian Wellington </refentryinfo>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <refentrytitle><application>pkcs11-ecgen</application></refentrytitle>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <refname><application>pkcs11-keygen</application></refname>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <refpurpose>generate keys on a PKCS#11 device</refpurpose>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington </refnamediv>
77ac297199fc44809d9628558223627c10ae3f31Brian Wellington <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <refsynopsisdiv>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <cmdsynopsis>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <arg><option>-i <replaceable class="parameter">id</replaceable></option></arg>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
75e1e12f48012505699f504cfa364260cb2bc1afBrian Wellington <arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
77ac297199fc44809d9628558223627c10ae3f31Brian Wellington <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
77ac297199fc44809d9628558223627c10ae3f31Brian Wellington </cmdsynopsis>
77ac297199fc44809d9628558223627c10ae3f31Brian Wellington </refsynopsisdiv>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <command>pkcs11-keygen</command> causes a PKCS#11 device to generate
77ac297199fc44809d9628558223627c10ae3f31Brian Wellington a new key pair with the given <option>label</option> (which must be
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington unique) and with <option>keysize</option> bits of prime.
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <variablelist>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <varlistentry>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <term>-a <replaceable class="parameter">algorithm</replaceable></term>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington Specify the key algorithm class: Supported classes are RSA,
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington DSA, DH, and ECC. In addition to these strings, the
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <option>algorithm</option> can be specified as a DNSSEC
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington signing algorithm that will be used with this key; for
229ce407c359b0b641759ba1fc4a5fa2054a44daBrian Wellington example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington to ECC. The default class is "RSA".
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington </varlistentry>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <varlistentry>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <term>-b <replaceable class="parameter">keysize</replaceable></term>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington Create the key pair with <option>keysize</option> bits of
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington prime. For ECC keys, the only valid values are 256 and 384,
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington and the default is 256.
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington </varlistentry>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <varlistentry>
92ef1a9b9dbd48ecb507b42ac62c15afefdaf838David Lawrence For RSA keys only, use a large exponent.
571688b02f955f6304649866e768b1f81739cbedBrian Wellington </varlistentry>
571688b02f955f6304649866e768b1f81739cbedBrian Wellington <varlistentry>
571688b02f955f6304649866e768b1f81739cbedBrian Wellington <term>-i <replaceable class="parameter">id</replaceable></term>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington Create key objects with id. The id is either
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington an unsigned short 2 byte or an unsigned long 4 byte number.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein </varlistentry>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <varlistentry>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <term>-m <replaceable class="parameter">module</replaceable></term>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington Specify the PKCS#11 provider module. This must be the full
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington path to a shared library object implementing the PKCS#11 API
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington for the device.
557bcc2092642b2d4668c9b08872c9f2bb88bddbMark Andrews </varlistentry>
23f64ea0dcd7f5b7094ae6ade2a002fb7dde1466Brian Wellington <varlistentry>
e2fd12f3a020ca8c5de168a44fb72e339cdaa3e9Brian Wellington Set the new private key to be non-sensitive and extractable.
23f64ea0dcd7f5b7094ae6ade2a002fb7dde1466Brian Wellington The allows the private key data to be read from the PKCS#11
23f64ea0dcd7f5b7094ae6ade2a002fb7dde1466Brian Wellington device. The default is for private keys to be sensitive and
23f64ea0dcd7f5b7094ae6ade2a002fb7dde1466Brian Wellington non-extractable.
23f64ea0dcd7f5b7094ae6ade2a002fb7dde1466Brian Wellington </varlistentry>
23f64ea0dcd7f5b7094ae6ade2a002fb7dde1466Brian Wellington <varlistentry>
557bcc2092642b2d4668c9b08872c9f2bb88bddbMark Andrews <term>-p <replaceable class="parameter">PIN</replaceable></term>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington Specify the PIN for the device. If no PIN is provided on
77ac297199fc44809d9628558223627c10ae3f31Brian Wellington the command line, <command>pkcs11-ecgen</command> will
77ac297199fc44809d9628558223627c10ae3f31Brian Wellington prompt for it.
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington </varlistentry>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <varlistentry>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington Quiet mode: suppress unnecessary output.
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington </varlistentry>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <varlistentry>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington For Diffie-Hellman (DH) keys only, use a special prime of
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington 768, 1024 or 1536 bit size and base (aka generator) 2.
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington If not specified, bit size will default to 1024.
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington </varlistentry>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <varlistentry>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <term>-s <replaceable class="parameter">slot</replaceable></term>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington Open the session with the given PKCS#11 slot. The default is
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington </varlistentry>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington </variablelist>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <citerefentry>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <refentrytitle>pkcs11-rsagen</refentrytitle><manvolnum>3</manvolnum>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington </citerefentry>,
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <citerefentry>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <refentrytitle>pkcs11-dsagen</refentrytitle><manvolnum>3</manvolnum>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington </citerefentry>,
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <citerefentry>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <refentrytitle>pkcs11-list</refentrytitle><manvolnum>3</manvolnum>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington </citerefentry>,
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <citerefentry>
60b90a37f41ab7607762d0e9791e79bd19eae4f4Brian Wellington <refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>3</manvolnum>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington </citerefentry>,
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <citerefentry>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>3</manvolnum>
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington </citerefentry>,
033ba09d6df0ac92a736a480b9c3b164b61dccb2Brian Wellington <para><corpauthor>Internet Systems Consortium</corpauthor>
77ac297199fc44809d9628558223627c10ae3f31Brian Wellington - Local variables: