man.pkcs11-keygen.html revision bfb7b680bf88c1fdd9949197b71c512c532280a4
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - License, v. 2.0. If a copy of the MPL was not distributed with this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - file, You can obtain one at http://mozilla.org/MPL/2.0/.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.pkcs11-list.html" title="pkcs11-list">
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater<link rel="next" href="man.pkcs11-tokens.html" title="pkcs11-tokens">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<tr><th colspan="3" align="center"><span class="application">pkcs11-keygen</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.pkcs11-list.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.pkcs11-tokens.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.pkcs11-keygen"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein — generate keys on a PKCS#11 device
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein {-a <em class="replaceable"><code>algorithm</code></em>}
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [<code class="option">-i <em class="replaceable"><code>id</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
48abcd3eb789fdd24a2e0a6155b25e6979a39ae0Mark Andrews a new key pair with the given <code class="option">label</code> (which must be
48abcd3eb789fdd24a2e0a6155b25e6979a39ae0Mark Andrews unique) and with <code class="option">keysize</code> bits of prime.
48abcd3eb789fdd24a2e0a6155b25e6979a39ae0Mark Andrews <div class="variablelist"><dl class="variablelist">
48abcd3eb789fdd24a2e0a6155b25e6979a39ae0Mark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the key algorithm class: Supported classes are RSA,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DSA, DH, ECC and ECX. In addition to these strings, the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">algorithm</code> can be specified as a DNSSEC
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signing algorithm that will be used with this key; for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to ECC, and ED25519 to ECX. The default class is "RSA".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Create the key pair with <code class="option">keysize</code> bits of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein prime. For ECC keys, the only valid values are 256 and 384,
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater and the default is 256. For ECX kyes, the only valid values
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are 256 and 456, and the default is 256.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein For RSA keys only, use a large exponent.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Create key objects with id. The id is either
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein an unsigned short 2 byte or an unsigned long 4 byte number.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the PKCS#11 provider module. This must be the full
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein path to a shared library object implementing the PKCS#11 API
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for the device.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Set the new private key to be non-sensitive and extractable.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The allows the private key data to be read from the PKCS#11
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein device. The default is for private keys to be sensitive and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein non-extractable.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the PIN for the device. If no PIN is provided on
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the command line, <span class="command"><strong>pkcs11-keygen</strong></span> will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein prompt for it.