Man page - pki---gen(1)

Packages contains this manual

Package:  strongswan-pki
apt-get install strongswan-pki

Manuals in package:
• pki---dn(1)
• pki(1)
• pki---verify(1)
• pki---pkcs7(1)
• pki---req(1)
• pki---self(1)
• pki---acert(1)
• pki---scep(1)
• pki---signcrl(1)
• pki---keyid(1)
• pki---ocsp(1)
• pki---estca(1)
• pki---pub(1)
• pki---issue(1)
• pki---gen(1)
• pki---scepca(1)
• pki---est(1)
• pki---print(1)
Documentations in package:
• strongswan-pki

Manual

PKI --GEN

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
RSA Threshold Cryptography
PROBLEMS ON HOSTS WITH LOW ENTROPY
EXAMPLES
SEE ALSO

---

NAME

pki --gen - Generate a new RSA or ECDSA private key

SYNOPSIS

	pki --gen		[ --type type ] [ --size bits ] [ --safe-primes ] [ --shares n ] [ --threshold l ] [ --outform encoding ] [ --debug level ]
	pki --gen		--options file
	pki --gen		-h | --help

DESCRIPTION

This sub-command of pki (1) is used to generate a new RSA or ECDSA private key.

OPTIONS

-h, --help

Print usage information with a summary of the available options.

-v, --debug level

Set debug level, default: 1.

-+, --options file

Read command line options from file .

-t, --type type

Type of key to generate. Either rsa , ecdsa , ed25519 , ed448 or bliss , defaults to rsa .

-s, --size bits

Key length in bits. Defaults to 2048 for rsa and 384 for ecdsa . For ecdsa only three values are currently supported: 256, 384 and 521.

-p, --safe-primes

Generate RSA safe primes.

-f, --outform encoding

Encoding of the generated private key. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der .

RSA Threshold Cryptography

-n, --shares <n>

Number of private RSA key shares.

-l, --threshold <l>

Minimum number of participating RSA key shares.

PROBLEMS ON HOSTS WITH LOW ENTROPY

If the gmp plugin is used to generate RSA private keys the key material is read from /dev/random (via the random plugin). Therefore, the command may block if the system’s entropy pool is empty. To avoid this, either use a hardware random number generator to feed /dev/random or use OpenSSL (via the openssl plugin or the command line) which is not as strict in regards to the quality of the key material (it reads from /dev/urandom if necessary). It is also possible to configure the devices used by the random plugin in strongswan.conf (5). Setting libstrongswan.plugins.random.random to /dev/urandom forces the plugin to treat bytes read from /dev/urandom as high grade random data, thus avoiding the blocking. Of course, this doesn’t change the fact that the key material generated this way is of lower quality.

EXAMPLES

pki --gen --size 3072 > rsa_key.der

Generates a 3072-bit RSA private key.

pki --gen --type ecdsa --size 256 > ecdsa_key.der

Generates a 256-bit ECDSA private key.

SEE ALSO

pki (1)

---