96 lines
3.0 KiB
Plaintext
96 lines
3.0 KiB
Plaintext
.\" Man page generated from reStructuredText.
|
|
.
|
|
.TH "PKCS11-KEYGEN" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
|
|
.SH NAME
|
|
pkcs11-keygen \- generate keys on a PKCS#11 device
|
|
.
|
|
.nr rst2man-indent-level 0
|
|
.
|
|
.de1 rstReportMargin
|
|
\\$1 \\n[an-margin]
|
|
level \\n[rst2man-indent-level]
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
-
|
|
\\n[rst2man-indent0]
|
|
\\n[rst2man-indent1]
|
|
\\n[rst2man-indent2]
|
|
..
|
|
.de1 INDENT
|
|
.\" .rstReportMargin pre:
|
|
. RS \\$1
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
. nr rst2man-indent-level +1
|
|
.\" .rstReportMargin post:
|
|
..
|
|
.de UNINDENT
|
|
. RE
|
|
.\" indent \\n[an-margin]
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.nr rst2man-indent-level -1
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
..
|
|
.SH SYNOPSIS
|
|
.sp
|
|
\fBpkcs11\-keygen\fP [\fB\-a\fP algorithm] [\fB\-b\fP keysize] [\fB\-e\fP] [\fB\-i\fP id] [\fB\-m\fP module] [\fB\-P\fP] [\fB\-p\fP PIN] [\fB\-q\fP] [\fB\-S\fP] [\fB\-s\fP slot] label
|
|
.SH DESCRIPTION
|
|
.sp
|
|
\fBpkcs11\-keygen\fP causes a PKCS#11 device to generate a new key pair
|
|
with the given \fBlabel\fP (which must be unique) and with \fBkeysize\fP
|
|
bits of prime.
|
|
.SH ARGUMENTS
|
|
.INDENT 0.0
|
|
.TP
|
|
\fB\-a\fP algorithm
|
|
Specify the key algorithm class: Supported classes are RSA, DSA, DH,
|
|
ECC and ECX. In addition to these strings, the \fBalgorithm\fP can be
|
|
specified as a DNSSEC signing algorithm that will be used with this
|
|
key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to
|
|
ECC, and ED25519 to ECX. The default class is "RSA".
|
|
.TP
|
|
\fB\-b\fP keysize
|
|
Create the key pair with \fBkeysize\fP bits of prime. For ECC keys, the
|
|
only valid values are 256 and 384, and the default is 256. For ECX
|
|
keys, the only valid values are 256 and 456, and the default is 256.
|
|
.TP
|
|
\fB\-e\fP
|
|
For RSA keys only, use a large exponent.
|
|
.TP
|
|
\fB\-i\fP id
|
|
Create key objects with id. The id is either an unsigned short 2 byte
|
|
or an unsigned long 4 byte number.
|
|
.TP
|
|
\fB\-m\fP module
|
|
Specify the PKCS#11 provider module. This must be the full path to a
|
|
shared library object implementing the PKCS#11 API for the device.
|
|
.TP
|
|
\fB\-P\fP
|
|
Set the new private key to be non\-sensitive and extractable. The
|
|
allows the private key data to be read from the PKCS#11 device. The
|
|
default is for private keys to be sensitive and non\-extractable.
|
|
.TP
|
|
\fB\-p\fP PIN
|
|
Specify the PIN for the device. If no PIN is provided on the command
|
|
line, \fBpkcs11\-keygen\fP will prompt for it.
|
|
.TP
|
|
\fB\-q\fP
|
|
Quiet mode: suppress unnecessary output.
|
|
.TP
|
|
\fB\-S\fP
|
|
For Diffie\-Hellman (DH) keys only, use a special prime of 768, 1024
|
|
or 1536 bit size and base (aka generator) 2. If not specified, bit
|
|
size will default to 1024.
|
|
.TP
|
|
\fB\-s\fP slot
|
|
Open the session with the given PKCS#11 slot. The default is slot 0.
|
|
.UNINDENT
|
|
.SH SEE ALSO
|
|
.sp
|
|
\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP, \fBdnssec\-keyfromlabel(8)\fP
|
|
.SH AUTHOR
|
|
Internet Systems Consortium
|
|
.SH COPYRIGHT
|
|
2020, Internet Systems Consortium
|
|
.\" Generated by docutils manpage writer.
|
|
.
|