1 .TH IPSEC_NEWHOSTKEY 8 "4 March 2002"
2 .\" RCSID $Id: newhostkey.8,v 1.4 2002/04/01 20:05:27 mcr Exp $
4 ipsec newhostkey \- generate a new host authentication key
28 which can be `\fB-\fR' for standard output)
29 an RSA private key suitable for this host,
31 .IR /etc/ipsec.secrets
34 .IR ipsec.secrets (5)).
40 .IR ipsec_rsasigkey (8))
43 option, so a narrative of what is being done appears on standard error.
47 specifier, although it is syntactically an option and can appear at
48 any point among the options (it doesn't have to be first),
52 is created under umask
55 if it already exists and is non-empty,
56 a warning message about that is sent to standard error,
57 and the output is appended to the file.
61 option suppresses both the
63 narrative and the existing-file warning message.
67 option specifies the number of bits in the key;
68 the current default is 2192 and we do not recommend use of anything
69 shorter unless unusual constraints demand it.
73 option is passed through to
75 to tell it what host name to label the output with
80 The output format is that of
82 with bracketing added to complete the
85 In the usual case, where
87 contains only the host's own private key,
90 is sufficient as a complete
94 ipsec.secrets(5), ipsec_rsasigkey(8)
96 Written for the Linux FreeS/WAN project
97 <http://www.freeswan.org>
102 the run time is difficult to predict,
103 since depletion of the system's randomness pool can cause
104 arbitrarily long waits for random bits,
105 and the prime-number searches can also take unpredictable
106 (and potentially large) amounts of CPU time.
108 .IR ipsec_rsasigkey (8)
109 for some typical performance numbers.
111 A higher-level tool which could handle the clerical details
112 of changing to a new key would be helpful.
117 but private keys are extremely sensitive information
118 and unusual precautions seem justified.