1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
7 - Permission to use, copy, modify, and/or distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
20 <refentry id="man.pkcs11-keygen">
22 <date>January 15, 2014</date>
26 <refentrytitle><application>pkcs11-keygen</application></refentrytitle>
27 <manvolnum>8</manvolnum>
28 <refmiscinfo>BIND9</refmiscinfo>
32 <refname><application>pkcs11-keygen</application></refname>
33 <refpurpose>generate keys on a PKCS#11 device</refpurpose>
40 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
46 <command>pkcs11-keygen</command>
47 <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
48 <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
49 <arg><option>-e</option></arg>
50 <arg><option>-i <replaceable class="parameter">id</replaceable></option></arg>
51 <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
52 <arg><option>-P</option></arg>
53 <arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
54 <arg><option>-q</option></arg>
55 <arg><option>-S</option></arg>
56 <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
57 <arg choice="req">label</arg>
62 <title>DESCRIPTION</title>
64 <command>pkcs11-keygen</command> causes a PKCS#11 device to generate
65 a new key pair with the given <option>label</option> (which must be
66 unique) and with <option>keysize</option> bits of prime.
71 <title>ARGUMENTS</title>
74 <term>-a <replaceable class="parameter">algorithm</replaceable></term>
77 Specify the key algorithm class: Supported classes are RSA,
78 DSA, DH, and ECC. In addition to these strings, the
79 <option>algorithm</option> can be specified as a DNSSEC
80 signing algorithm that will be used with this key; for
81 example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
82 to ECC. The default class is "RSA".
88 <term>-b <replaceable class="parameter">keysize</replaceable></term>
91 Create the key pair with <option>keysize</option> bits of
92 prime. For ECC keys, the only valid values are 256 and 384,
93 and the default is 256.
102 For RSA keys only, use a large exponent.
108 <term>-i <replaceable class="parameter">id</replaceable></term>
111 Create key objects with id. The id is either
112 an unsigned short 2 byte or an unsigned long 4 byte number.
118 <term>-m <replaceable class="parameter">module</replaceable></term>
121 Specify the PKCS#11 provider module. This must be the full
122 path to a shared library object implementing the PKCS#11 API
132 Set the new private key to be non-sensitive and extractable.
133 The allows the private key data to be read from the PKCS#11
134 device. The default is for private keys to be sensitive and
141 <term>-p <replaceable class="parameter">PIN</replaceable></term>
144 Specify the PIN for the device. If no PIN is provided on
145 the command line, <command>pkcs11-keygen</command> will
155 Quiet mode: suppress unnecessary output.
164 For Diffie-Hellman (DH) keys only, use a special prime of
165 768, 1024 or 1536 bit size and base (aka generator) 2.
166 If not specified, bit size will default to 1024.
172 <term>-s <replaceable class="parameter">slot</replaceable></term>
175 Open the session with the given PKCS#11 slot. The default is
185 <title>SEE ALSO</title>
188 <refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
191 <refentrytitle>pkcs11-list</refentrytitle><manvolnum>8</manvolnum>
194 <refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>
197 <refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>8</manvolnum>
203 <title>AUTHOR</title>
204 <para><corpauthor>Internet Systems Consortium</corpauthor>