pkcs11-keygen (8) Linux Manual Page
pkcs11-keygen – generate keys on a PKCS#11 device
Synopsis
-
pkcs11-keygen{-aalgorithm} [ -bkeysize] [-e] [-iid] [-mmodule] [-P] [-pPIN] [-q] [-S] [-sslot] {label}
Description
pkcs11-keygen
label (which must be unique) and with keysize bits of prime.
Arguments
-a algorithm
- Specify the key algorithm class: Supported classes are RSA, DSA, DH, and ECC. In addition to these strings, the
algorithmcan be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps to ECC. The default class is "RSA".
-b keysize
- Create the key pair with
keysizebits of prime. For ECC keys, the only valid values are 256 and 384, and the default is 256.
-e
- For RSA keys only, use a large exponent.
-i id
- Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.
-m module
- Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
-P
- Set the new private key to be non-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non-extractable.
-p PIN
- Specify the PIN for the device. If no PIN is provided on the command line,
pkcs11-ecgenwill prompt for it.
-e
- Quiet mode: suppress unnecessary output.
-S
- For Diffie-Hellman (DH) keys only, use a special prime of 768, 1024 or 1536 bit size and base (aka generator) 2. If not specified, bit size will default to 1024.
-s slot
- Open the session with the given PKCS#11 slot. The default is slot 0.
See Also
pkcs11-rsagen(3), pkcs11-dsagen(3), pkcs11-list(3), pkcs11-destroy(3), dnssec-keyfromlabel(3),
Author
Internet Systems Consortium
Copyright
Copyright © 2012 Internet Systems Consortium, Inc. ("ISC")