2. EL 6 ELS
  3. libreswan
  4. ipsec_newhostkey(8)

Scroll to navigation

IPSEC_RANBITS(8) Executable programs IPSEC_RANBITS(8)

NAME

ipsec_newhostkey - generate a new raw RSA authentication key for a host

SYNOPSIS

ipsec newhostkey [[--configdirnssdbdir] | [--password password]] [[--quiet] | [--verbose]] [--bits bits] [--seeddev device] [--hostname hostname] [--output filename]

DESCRIPTION

newhostkey outputs (into filename, which can be ´-´ for standard output) an RSA private key suitable for this host, in /etc/ipsec.secrets format (see ipsec.secrets(5)) using the --quiet option per default.

The --output option is mandatory. The specified filename is created under umask 077 if nonexistent; if it already exists and is non-empty, a warning message about that is sent to standard error, and the output is appended to the file.

The --quiet option suppresses both the rsasigkey narrative and the existing-file warning message.

When compiled with NSS support (the default), --configdir specifies the nss configuration directory where the certificate key, and modsec databases reside. There is no default value, though /etc/ipsec.d might be sensible choice.

When compiled with NSS support (the default), --password specifies a module authentication password that may be required if FIPS mode is enabled

The --bits option specifies the number of bits in the RSA key; the current default is a random (multiple of 16) value between 3072 and 4096. The minimum allowed is 2192.

The --seeddev is used to specify the random device (default /dev/random used to seed the crypto library RNG.

The --hostname option is passed through to rsasigkey to tell it what host name to label the output with (via its --hostname option).

The output format is that of rsasigkey, with bracketing added to complete the ipsec.secrets format. In the usual case, where ipsec.secrets contains only the host�s own private key, the output of newhostkey is sufficient as a complete ipsec.secrets file.

FILES

/dev/random, /dev/urandom

SEE ALSO

ipsec_rsasigkey(8), ipsec.secrets(5)

HISTORY

Originally written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters

BUGS

As with rsasigkey, the run time is difficult to predict, since depletion of the system�s randomness pool can cause arbitrarily long waits for random bits for seeding the NSS library, and the prime-number searches can also take unpredictable (and potentially large) amounts of CPU time. See ipsec_rsasigkey(8) .

A higher-level tool which could handle the clerical details of changing to a new key would be helpful.

AUTHOR

Paul Wouters

placeholder to suppress warning
01/28/2020 libreswan