Section: Executable programs (8)
ipsec_newhostkey - generate a new raw RSA authentication key for a host
ipsec newhostkey [[--quiet] | [--verbose]] [--nssdirnssdir] [--password password] [--bits bits] [--seeddev device] [--hostname hostname] [--output filename]
generates an RSA public/private key pair suitable for authenticating this host is generated and stored in the NSS database.
for how to extract the public key from the NSS database.
option specifies an
formatted file (see
ipsec.secrets(5)). to store the public key information. If the file does not exist, it is created under umask
077. If the file already exists and is non-empty, a warning message about that is written to standard error, and the output is appended to the file.
option suppresses both the
narrative and the existing-file warning message.
option specifies the NSS DB directory where the certificate key, and modsec databases reside (default
option specifies a module authentication
that may be required if FIPS mode is enabled.
option specifies the number of bits in the RSA key; the current default is a random (multiple of 16) value between 3072 and 4096. The minimum allowed is 2192.
is used to specify the random device (default
used to seed the crypto library RNG.
option is passed through to
to tell it what host name to label the output with (via its
Originally written for the Linux FreeS/WAN project <m[blue]https://www.freeswan.orgm> by Henry Spencer. Updated by Paul Wouters
rsasigkey, the run time is difficult to predict, since depletion of the system's randomness pool can cause arbitrarily long waits for random bits for seeding the NSS library, and the prime-number searches can also take unpredictable (and potentially large) amounts of CPU time. See
A higher-level tool that could handle the clerical details of changing to a new key would be helpful.
placeholder to suppress warning