diff --git a/bin/pkcs11/pkcs11-keygen.8 b/bin/pkcs11/pkcs11-keygen.8
index db761ad63b..93ba99db29 100644
--- a/bin/pkcs11/pkcs11-keygen.8
+++ b/bin/pkcs11/pkcs11-keygen.8
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: pkcs11-keygen.8,v 1.2 2009/10/05 12:11:53 fdupont Exp $
+.\" $Id: pkcs11-keygen.8,v 1.3 2009/10/05 12:25:29 fdupont Exp $
.\"
.hy 0
.ad l
@@ -32,7 +32,7 @@
pkcs11\-keygen \- generate RSA keys on a PKCS#11 device
.SH "SYNOPSIS"
.HP 14
-\fBpkcs11\-keygen\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-b\ \fIkeysize\fR} {\-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+\fBpkcs11\-keygen\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] [\fB\-e\fR] {\-b\ \fIkeysize\fR} {\-l\ \fIlabel\fR} [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR]
.SH "DESCRIPTION"
.PP
\fBpkcs11\-keygen\fR
@@ -58,6 +58,11 @@ Specify the PKCS#11 provider module. This must be the full path to a shared libr
Open the session with the given PKCS#11 slot. The default is slot 0.
.RE
.PP
+\-e
+.RS 4
+Use a large exponent.
+.RE
+.PP
\-b \fIkeysize\fR
.RS 4
Create the key pair with
@@ -67,7 +72,12 @@ bits of modulus.
.PP
\-l \fIlabel\fR
.RS 4
-Create key objects with the given label.
+Create key objects with the given label. This name must be unique.
+.RE
+.PP
+\-i \fIid\fR
+.RS 4
+Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.
.RE
.PP
\-p \fIPIN\fR
@@ -79,12 +89,11 @@ will prompt for it.
.SH "SEE ALSO"
.PP
\fBpkcs11\-list\fR(3),
-\fBpkcs11\-destroy\fR(3)
+\fBpkcs11\-destroy\fR(3),
+\fBdnssec\-keyfromlabel\fR(3),
.SH "CAVEAT"
.PP
-The public exponent is hard\-wired to 65537.
-.PP
-The command should optionally set the object ID too.
+Some PKCS#11 providers crash with big public exponent.
.SH "AUTHOR"
.PP
Internet Systems Consortium
diff --git a/bin/pkcs11/pkcs11-keygen.html b/bin/pkcs11/pkcs11-keygen.html
index 77410e8633..1292cf6508 100644
--- a/bin/pkcs11/pkcs11-keygen.html
+++ b/bin/pkcs11/pkcs11-keygen.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -28,10 +28,10 @@
Synopsis
-
pkcs11-keygen [-P] [-m module] [-s slot] {-b keysize} {-l label} [-p PIN]
+
pkcs11-keygen [-P] [-m module] [-s slot] [-e] {-b keysize} {-l label} [-i id] [-p PIN]
-
DESCRIPTION
+
DESCRIPTION
pkcs11-keygen causes a PKCS#11 device to generate
a new RSA key pair with the specified label and
@@ -39,7 +39,7 @@
-
ARGUMENTS
+
ARGUMENTS
- -P
@@ -59,6 +59,10 @@
Open the session with the given PKCS#11 slot. The default is
slot 0.
- -e
+
+ Use a large exponent.
+
- -b
keysize
Create the key pair with keysize bits of
@@ -67,6 +71,12 @@
- -l
label
Create key objects with the given label.
+ This name must be unique.
+
- -i
id
+
+ Create key objects with id. The id is either
+ an unsigned short 2 byte or an unsigned long 4 byte number.
- -p
PIN
@@ -76,19 +86,19 @@
-
SEE ALSO
+
SEE ALSO
pkcs11-list(3),
- pkcs11-destroy(3)
+ pkcs11-destroy(3),
+ dnssec-keyfromlabel(3),
-
CAVEAT
-
The public exponent is hard-wired to 65537.
-
The command should optionally set the object ID too.
+
CAVEAT
+
Some PKCS#11 providers crash with big public exponent.
-
AUTHOR
+
AUTHOR
Internet Systems Consortium