summaryrefslogtreecommitdiffstats
path: root/doc/man/pkcs11-keygen.8in
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/man/pkcs11-keygen.8in95
1 files changed, 95 insertions, 0 deletions
diff --git a/doc/man/pkcs11-keygen.8in b/doc/man/pkcs11-keygen.8in
new file mode 100644
index 0000000..8ea542e
--- /dev/null
+++ b/doc/man/pkcs11-keygen.8in
@@ -0,0 +1,95 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "PKCS11-KEYGEN" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+pkcs11-keygen \- generate keys on a PKCS#11 device
+.SH SYNOPSIS
+.sp
+\fBpkcs11\-keygen\fP [\fB\-a\fP algorithm] [\fB\-b\fP keysize] [\fB\-e\fP] [\fB\-i\fP id] [\fB\-m\fP module] [\fB\-P\fP] [\fB\-p\fP PIN] [\fB\-q\fP] [\fB\-S\fP] [\fB\-s\fP slot] label
+.SH DESCRIPTION
+.sp
+\fBpkcs11\-keygen\fP causes a PKCS#11 device to generate a new key pair
+with the given \fBlabel\fP (which must be unique) and with \fBkeysize\fP
+bits of prime.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a algorithm\fP
+This option specifies the key algorithm class: supported classes are RSA, DSA, DH,
+ECC, and ECX. In addition to these strings, the \fBalgorithm\fP can be
+specified as a DNSSEC signing algorithm to be used with this
+key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to
+ECC, and ED25519 to ECX. The default class is \fBRSA\fP\&.
+.TP
+.B \fB\-b keysize\fP
+This option creates the key pair with \fBkeysize\fP bits of prime. For ECC keys, the
+only valid values are 256 and 384, and the default is 256. For ECX
+keys, the only valid values are 256 and 456, and the default is 256.
+.TP
+.B \fB\-e\fP
+For RSA keys only, this option specifies use of a large exponent.
+.TP
+.B \fB\-i id\fP
+This option creates key objects with \fBid\fP\&. The ID is either an unsigned short 2\-byte
+or an unsigned long 4\-byte number.
+.TP
+.B \fB\-m module\fP
+This option specifies the PKCS#11 provider module. This must be the full path to a
+shared library object implementing the PKCS#11 API for the device.
+.TP
+.B \fB\-P\fP
+This option sets the new private key to be non\-sensitive and extractable, and
+allows the private key data to be read from the PKCS#11 device. The
+default is for private keys to be sensitive and non\-extractable.
+.TP
+.B \fB\-p PIN\fP
+This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command
+line, \fBpkcs11\-keygen\fP prompts for it.
+.TP
+.B \fB\-q\fP
+This option sets quiet mode, which suppresses unnecessary output.
+.TP
+.B \fB\-S\fP
+For Diffie\-Hellman (DH) keys only, this option specifies use of a special prime of 768\-, 1024\-,
+or 1536\-bit size and base (AKA generator) 2. If not specified, bit
+size defaults to 1024.
+.TP
+.B \fB\-s slot\fP
+This option opens the session with the given PKCS#11 slot. The default is slot 0.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP, \fBdnssec\-keyfromlabel(8)\fP
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.