2. EL 6 ELS
  3. openswan
  4. ipsec_newhostkey(8)

Scroll to navigation

IPSEC_RANBITS(8) [FIXME: manual] IPSEC_RANBITS(8)

NAME

ipsec_newhostkey - generate a new raw RSA authentication key for a host

SYNOPSIS

ipsec newhostkey [[--configdiranssdbdir] | [--password password]] [[--quiet] | [--verbose]] [--bits bits] [--hostname hostname] --output filename

DESCRIPTION

newhostkey outputs (into filename, which can be ´-´ for standard output) an RSA private key suitable for this host, in /etc/ipsec.secrets format (see ipsec.secrets(5)) using the --quiet option per default.

The --output option is mandatory. The specified filename is created under umask 077 if nonexistent; if it already exists and is non-empty, a warning message about that is sent to standard error, and the output is appended to the file.

The --quiet option suppresses both the rsasigkey narrative and the existing-file warning message.

When compiled with NSS support, --configdir specifies the nss configuration directory where the certificate key, and modsec databases reside. There is no default value, though /etc/ipsec.d might be sensible choice.

When compiled with NSS support, --password specifies a module authentication password that may be required if FIPS mode is enabled

The --bits option specifies the number of bits in the key; the current default is 2192 and we do not recommend use of anything shorter unless unusual constraints demand it.

The --hostname option is passed through to rsasigkey to tell it what host name to label the output with (via its --hostname option).

The output format is that of rsasigkey, with bracketing added to complete the ipsec.secrets format. In the usual case, where ipsec.secrets contains only the host�s own private key, the output of newhostkey is sufficient as a complete ipsec.secrets file.

FILES

/dev/random, /dev/urandom

SEE ALSO

ipsec_rsasigkey(8), ipsec.secrets(5)

HISTORY

Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer.

BUGS

As with rsasigkey, the run time is difficult to predict, since depletion of the system�s randomness pool can cause arbitrarily long waits for random bits, and the prime-number searches can also take unpre dictable (and potentially large) amounts of CPU time. See ipsec_rsasigkey(8) for some typical performance numbers.

A higher-level tool which could handle the clerical details of changing to a new key would be helpful.

The requirement for --output is a blemish, but private keys are extremely sensitive information and unusual precautions seem justified.

10/06/2010 [FIXME: source]