pkcs11-keygen.html revision 46bb3884a0738664862e3a36b7848aa374aebd45
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<!--
46bb3884a0738664862e3a36b7848aa374aebd45Tinderbox User - Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt -
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont-->
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<html lang="en">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<head>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<title>pkcs11-keygen</title>
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont</head>
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<a name="man.pkcs11-keygen"></a><div class="titlepage"></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refnamediv">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<h2>Name</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="application">pkcs11-keygen</span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User &#8212; generate keys on a PKCS#11 device
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsynopsisdiv">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<h2>Synopsis</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="cmdsynopsis"><p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="command">pkcs11-keygen</code>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User {-a <em class="replaceable"><code>algorithm</code></em>}
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-e</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-i <em class="replaceable"><code>id</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-P</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-q</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-S</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User {label}
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<a name="id-1.7"></a><h2>DESCRIPTION</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User <span class="command"><strong>pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt a new key pair with the given <code class="option">label</code> (which must be
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt unique) and with <code class="option">keysize</code> bits of prime.
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<a name="id-1.8"></a><h2>ARGUMENTS</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Specify the key algorithm class: Supported classes are RSA,
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User DSA, DH, ECC and ECX. In addition to these strings, the
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <code class="option">algorithm</code> can be specified as a DNSSEC
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt signing algorithm that will be used with this key; for
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User to ECC, and ED25519 to ECX. The default class is "RSA".
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Create the key pair with <code class="option">keysize</code> bits of
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt prime. For ECC keys, the only valid values are 256 and 384,
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User and the default is 256. For ECX kyes, the only valid values
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User are 256 and 456, and the default is 256.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt<dt><span class="term">-e</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt For RSA keys only, use a large exponent.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Create key objects with id. The id is either
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt an unsigned short 2 byte or an unsigned long 4 byte number.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont Specify the PKCS#11 provider module. This must be the full
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont path to a shared library object implementing the PKCS#11 API
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont for the device.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt<dt><span class="term">-P</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Set the new private key to be non-sensitive and extractable.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt The allows the private key data to be read from the PKCS#11
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt device. The default is for private keys to be sensitive and
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt non-extractable.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Specify the PIN for the device. If no PIN is provided on
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User the command line, <span class="command"><strong>pkcs11-keygen</strong></span> will
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt prompt for it.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<dt><span class="term">-q</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Quiet mode: suppress unnecessary output.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt<dt><span class="term">-S</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt For Diffie-Hellman (DH) keys only, use a special prime of
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt 768, 1024 or 1536 bit size and base (aka generator) 2.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt If not specified, bit size will default to 1024.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Open the session with the given PKCS#11 slot. The default is
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt slot 0.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont</dl></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<a name="id-1.9"></a><h2>SEE ALSO</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="citerefentry">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">pkcs11-destroy</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </span>,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="citerefentry">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">pkcs11-list</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </span>,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="citerefentry">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">pkcs11-tokens</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </span>,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="citerefentry">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-keyfromlabel</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </span>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont</div></body>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont</html>