diff options
Diffstat (limited to 'doc/man/pkcs11-keygen.8in')
-rw-r--r-- | doc/man/pkcs11-keygen.8in | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/doc/man/pkcs11-keygen.8in b/doc/man/pkcs11-keygen.8in new file mode 100644 index 0000000..8ea542e --- /dev/null +++ b/doc/man/pkcs11-keygen.8in @@ -0,0 +1,95 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "PKCS11-KEYGEN" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9" +.SH NAME +pkcs11-keygen \- generate keys on a PKCS#11 device +.SH SYNOPSIS +.sp +\fBpkcs11\-keygen\fP [\fB\-a\fP algorithm] [\fB\-b\fP keysize] [\fB\-e\fP] [\fB\-i\fP id] [\fB\-m\fP module] [\fB\-P\fP] [\fB\-p\fP PIN] [\fB\-q\fP] [\fB\-S\fP] [\fB\-s\fP slot] label +.SH DESCRIPTION +.sp +\fBpkcs11\-keygen\fP causes a PKCS#11 device to generate a new key pair +with the given \fBlabel\fP (which must be unique) and with \fBkeysize\fP +bits of prime. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-a algorithm\fP +This option specifies the key algorithm class: supported classes are RSA, DSA, DH, +ECC, and ECX. In addition to these strings, the \fBalgorithm\fP can be +specified as a DNSSEC signing algorithm to be used with this +key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to +ECC, and ED25519 to ECX. The default class is \fBRSA\fP\&. +.TP +.B \fB\-b keysize\fP +This option creates the key pair with \fBkeysize\fP bits of prime. For ECC keys, the +only valid values are 256 and 384, and the default is 256. For ECX +keys, the only valid values are 256 and 456, and the default is 256. +.TP +.B \fB\-e\fP +For RSA keys only, this option specifies use of a large exponent. +.TP +.B \fB\-i id\fP +This option creates key objects with \fBid\fP\&. The ID is either an unsigned short 2\-byte +or an unsigned long 4\-byte number. +.TP +.B \fB\-m module\fP +This option specifies the PKCS#11 provider module. This must be the full path to a +shared library object implementing the PKCS#11 API for the device. +.TP +.B \fB\-P\fP +This option sets the new private key to be non\-sensitive and extractable, and +allows the private key data to be read from the PKCS#11 device. The +default is for private keys to be sensitive and non\-extractable. +.TP +.B \fB\-p PIN\fP +This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command +line, \fBpkcs11\-keygen\fP prompts for it. +.TP +.B \fB\-q\fP +This option sets quiet mode, which suppresses unnecessary output. +.TP +.B \fB\-S\fP +For Diffie\-Hellman (DH) keys only, this option specifies use of a special prime of 768\-, 1024\-, +or 1536\-bit size and base (AKA generator) 2. If not specified, bit +size defaults to 1024. +.TP +.B \fB\-s slot\fP +This option opens the session with the given PKCS#11 slot. The default is slot 0. +.UNINDENT +.SH SEE ALSO +.sp +\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP, \fBdnssec\-keyfromlabel(8)\fP +.SH AUTHOR +Internet Systems Consortium +.SH COPYRIGHT +2023, Internet Systems Consortium +.\" Generated by docutils manpage writer. +. |