Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

strongimcv_pki---gen(1) [centos man page]

PKI --GEN(1)							    strongSwan							      PKI --GEN(1)

NAME

       pki --gen - Generate a new RSA or ECDSA private key

SYNOPSIS

       pki --gen [--type type] [--size bits] [--safe-primes] [--shares n] [--threshold l] [--outform encoding] [--debug level]

       pki --gen --options file

       pki --gen -h | --help

DESCRIPTION

       This sub-command of pki(1) is used to generate a new RSA or ECDSA private key.

OPTIONS

       -h, --help
	      Print usage information with a summary of the available options.

       -v, --debug level
	      Set debug level, default: 1.

       -+, --options file
	      Read command line options from file.

       -t, --type type
	      Type of key to generate. Either rsa or ecdsa, defaults to rsa.

       -s, --size bits
	      Key  length  in bits. Defaults to 2048 for rsa and 384 for ecdsa.  For ecdsa only three values are currently supported: 256, 384 and
	      521.

       -p, --safe-primes
	      Generate RSA safe primes.

       -f, --outform encoding
	      Encoding of the generated private key. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der.

   RSA Threshold Cryptography
       -n, --shares <n>
	      Number of private RSA key shares.

       -l, --threshold <l>
	      Minimum number of participating RSA key shares.

PROBLEMS ON HOSTS WITH LOW ENTROPY

       If the gmp plugin is used to generate RSA private keys the key material is read from /dev/random (via the random  plugin).  Therefore,  the
       command	may block if the system's entropy pool is empty.  To avoid this, either use a hardware random number generator to feed /dev/random
       or use OpenSSL (via the openssl plugin or the command line) which is not as strict in regards to the quality of the key material (it  reads
       from  /dev/urandom  if  necessary).  It is also possible to configure the devices used by the random plugin in strongswan.conf(5).  Setting
       libstrongswan.plugins.random.random to /dev/urandom forces the plugin to treat bytes read from /dev/urandom as high grade random data, thus
       avoiding the blocking. Of course, this doesn't change the fact that the key material generated this way is of lower quality.

EXAMPLES

       pki --gen --size 3072 > rsa_key.der
	      Generates a 3072-bit RSA private key.

       pki --gen --type ecdsa --size 256 > ecdsa_key.der
	      Generates a 256-bit ECDSA private key.

SEE ALSO

       pki(1)

5.1.1								    2013-07-31							      PKI --GEN(1)

Check Out this Related Man Page

RSA_check_key(3)						      OpenSSL							  RSA_check_key(3)

NAME

       RSA_check_key - validate private RSA keys

SYNOPSIS

	#include <openssl/rsa.h>

	int RSA_check_key(RSA *rsa);

DESCRIPTION

       This function validates RSA keys. It checks that p and q are in fact prime, and that n = p*q.

       It also checks that d*e = 1 mod (p-1*q-1), and that dmp1, dmq1 and iqmp are set correctly or are NULL.

       As such, this function can not be used with any arbitrary RSA key object, even if it is otherwise fit for regular RSA operation. See NOTES
       for more information.

RETURN VALUE

       RSA_check_key() returns 1 if rsa is a valid RSA key, and 0 otherwise.  -1 is returned if an error occurs while checking the key.

       If the key is invalid or an error occurred, the reason code can be obtained using ERR_get_error(3).

NOTES

       This function does not work on RSA public keys that have only the modulus and public exponent elements populated. It performs integrity
       checks on all the RSA key material, so the RSA key structure must contain all the private key data too.

       Unlike most other RSA functions, this function does not work transparently with any underlying ENGINE implementation because it uses the
       key data in the RSA structure directly. An ENGINE implementation can override the way key data is stored and handled, and can even provide
       support for HSM keys - in which case the RSA structure may contain no key data at all! If the ENGINE in question is only being used for
       acceleration or analysis purposes, then in all likelihood the RSA key data is complete and untouched, but this can't be assumed in the gen-
       eral case.

BUGS

       A method of verifying the RSA key using opaque RSA API functions might need to be considered. Right now RSA_check_key() simply uses the RSA
       structure elements directly, bypassing the RSA_METHOD table altogether (and completely violating encapsulation and object-orientation in
       the process).  The best fix will probably be to introduce a "check_key()" handler to the RSA_METHOD function table so that alternative
       implementations can also provide their own verifiers.

SEE ALSO

       rsa(3), ERR_get_error(3)

HISTORY

       RSA_check_key() appeared in OpenSSL 0.9.4.

0.9.7a								    2002-09-25							  RSA_check_key(3)
Man Page