Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

strongimcv_pki---gen(1) [centos man page]

PKI --GEN(1)							    strongSwan							      PKI --GEN(1)

NAME
pki --gen - Generate a new RSA or ECDSA private key SYNOPSIS
pki --gen [--type type] [--size bits] [--safe-primes] [--shares n] [--threshold l] [--outform encoding] [--debug level] pki --gen --options file pki --gen -h | --help DESCRIPTION
This sub-command of pki(1) is used to generate a new RSA or ECDSA private key. OPTIONS
-h, --help Print usage information with a summary of the available options. -v, --debug level Set debug level, default: 1. -+, --options file Read command line options from file. -t, --type type Type of key to generate. Either rsa or ecdsa, defaults to rsa. -s, --size bits Key length in bits. Defaults to 2048 for rsa and 384 for ecdsa. For ecdsa only three values are currently supported: 256, 384 and 521. -p, --safe-primes Generate RSA safe primes. -f, --outform encoding Encoding of the generated private key. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der. RSA Threshold Cryptography -n, --shares <n> Number of private RSA key shares. -l, --threshold <l> Minimum number of participating RSA key shares. PROBLEMS ON HOSTS WITH LOW ENTROPY
If the gmp plugin is used to generate RSA private keys the key material is read from /dev/random (via the random plugin). Therefore, the command may block if the system's entropy pool is empty. To avoid this, either use a hardware random number generator to feed /dev/random or use OpenSSL (via the openssl plugin or the command line) which is not as strict in regards to the quality of the key material (it reads from /dev/urandom if necessary). It is also possible to configure the devices used by the random plugin in strongswan.conf(5). Setting libstrongswan.plugins.random.random to /dev/urandom forces the plugin to treat bytes read from /dev/urandom as high grade random data, thus avoiding the blocking. Of course, this doesn't change the fact that the key material generated this way is of lower quality. EXAMPLES
pki --gen --size 3072 > rsa_key.der Generates a 3072-bit RSA private key. pki --gen --type ecdsa --size 256 > ecdsa_key.der Generates a 256-bit ECDSA private key. SEE ALSO
pki(1) 5.1.1 2013-07-31 PKI --GEN(1)

Check Out this Related Man Page

RSA_check_key(3openssl) 					      OpenSSL						   RSA_check_key(3openssl)

NAME
RSA_check_key - validate private RSA keys SYNOPSIS
#include <openssl/rsa.h> int RSA_check_key(RSA *rsa); DESCRIPTION
This function validates RSA keys. It checks that p and q are in fact prime, and that n = p*q. It also checks that d*e = 1 mod (p-1*q-1), and that dmp1, dmq1 and iqmp are set correctly or are NULL. As such, this function can not be used with any arbitrary RSA key object, even if it is otherwise fit for regular RSA operation. See NOTES for more information. RETURN VALUE
RSA_check_key() returns 1 if rsa is a valid RSA key, and 0 otherwise. -1 is returned if an error occurs while checking the key. If the key is invalid or an error occurred, the reason code can be obtained using ERR_get_error(3). NOTES
This function does not work on RSA public keys that have only the modulus and public exponent elements populated. It performs integrity checks on all the RSA key material, so the RSA key structure must contain all the private key data too. Unlike most other RSA functions, this function does not work transparently with any underlying ENGINE implementation because it uses the key data in the RSA structure directly. An ENGINE implementation can override the way key data is stored and handled, and can even provide support for HSM keys - in which case the RSA structure may contain no key data at all! If the ENGINE in question is only being used for acceleration or analysis purposes, then in all likelihood the RSA key data is complete and untouched, but this can't be assumed in the gen- eral case. BUGS
A method of verifying the RSA key using opaque RSA API functions might need to be considered. Right now RSA_check_key() simply uses the RSA structure elements directly, bypassing the RSA_METHOD table altogether (and completely violating encapsulation and object-orientation in the process). The best fix will probably be to introduce a "check_key()" handler to the RSA_METHOD function table so that alternative implementations can also provide their own verifiers. SEE ALSO
rsa(3), ERR_get_error(3) HISTORY
RSA_check_key() appeared in OpenSSL 0.9.4. OpenSSL-0.9.8 Oct 11 2005 RSA_check_key(3openssl)
Man Page