'\" t .\" Title: IPSEC_NEWHOSTKEY .\" Author: Paul Wouters .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 06/11/2019 .\" Manual: Executable programs .\" Source: libreswan .\" Language: English .\" .TH "IPSEC_NEWHOSTKEY" "8" "06/11/2019" "libreswan" "Executable programs" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" ipsec_newhostkey \- generate a new raw RSA authentication key for a host .SH "SYNOPSIS" .HP \w'\fBipsec\fR\ 'u \fBipsec\fR \fInewhostkey\fR [[\-\-quiet] | [\-\-verbose]] [\-\-nssdir\fInssdir\fR] [\-\-password\ \fIpassword\fR] [\-\-bits\ \fIbits\fR] [\-\-seeddev\ \fIdevice\fR] [\-\-hostname\ \fIhostname\fR] [\-\-output\ \fIfilename\fR] .SH "DESCRIPTION" .PP \fInewhostkey\fR generates an RSA public/private key pair suitable for authenticating this host is generated and stored in the NSS database\&. .PP See \fBipsec_showhostkey\fR(8) for how to extract the public key from the NSS database\&. .SS "Output Options" .PP \fB\-\-output\fR\ \&\fIfilename\fR .RS 4 The \fB\-\-output\fR option specifies an \fIipsec\&.secrets\fR formatted file (see \fBipsec.secrets\fR(5))\&. to store the public key information\&. If the file does not exist, it is created under umask \fB077\fR\&. If the file already exists and is non\-empty, a warning message about that is written to standard error, and the output is appended to the file\&. .RE .PP \fB\-\-quiet\fR .RS 4 The \fB\-\-quiet\fR option suppresses both the \fIrsasigkey\fR narrative and the existing\-file warning message\&. .RE .PP \fB\-\-nssdir\fR\ \&\fInssdir\fR .RS 4 The \fB\-\-nssdir\fR option specifies the NSS DB directory where the certificate key, and modsec databases reside (default /var/lib/ipsec/nss) .RE .PP \fB\-\-password\fR\ \&\fIpassword\fR .RS 4 The \fB\-\-password\fR option specifies a module authentication \fIpassword\fR that may be required if FIPS mode is enabled\&. .RE .PP \fB\-\-bits\fR\ \&\fIbits\fR .RS 4 The \fB\-\-bits\fR option specifies the number of bits in the RSA key; the current default is a random (multiple of 16) value between 3072 and 4096\&. The minimum allowed is 2192\&. .RE .PP \fB\-\-seeddev\fR\ \&\fIdevice\fR .RS 4 The \fB\-\-seeddev\fR is used to specify the random device (default /dev/random used to seed the crypto library RNG\&. .RE .PP \fB\-\-hostname\fR\ \&\fIhostname\fR .RS 4 The \fB\-\-hostname\fR option is passed through to \fIrsasigkey\fR to tell it what host name to label the output with (via its \fB\-\-hostname\fR option)\&. .RE .SH "FILES" .PP /dev/random, /dev/urandom .SH "SEE ALSO" .PP \fBipsec_rsasigkey\fR(8), \fBipsec_showhostkey\fR(8), \fBipsec.secrets\fR(5) .SH "HISTORY" .PP Originally written for the Linux FreeS/WAN project <\m[blue]\fBhttps://www\&.freeswan\&.org\fR\m[]> by Henry Spencer\&. Updated by Paul Wouters .SH "BUGS" .PP As with \fIrsasigkey\fR, the run time is difficult to predict, since depletion of the system\*(Aqs randomness pool can cause arbitrarily long waits for random bits for seeding the NSS library, and the prime\-number searches can also take unpredictable (and potentially large) amounts of CPU time\&. See \fBipsec_rsasigkey\fR(8) \&. .PP A higher\-level tool that could handle the clerical details of changing to a new key would be helpful\&. .SH "AUTHOR" .PP \fBPaul Wouters\fR .RS 4 placeholder to suppress warning .RE