 |
Index for
Section 8 |
|
 |
Alphabetical
listing for I |
|
 |
Bottom of
page |
|
ipsec_keytool(8)
NAME
ipsec_keytool - Generate RSA and DSA keys, and convert existing key formats
SYNOPSIS
/usr/sbin/ipsec_keytool [-d] [-c cipher] [-i string] [-o format] [-r
string] [-s {password | passphrase}] [-S {password | passphrase}] input-
file output-file
/usr/sbin/ipsec_keytool -g key-type[:size] [-c cipher] [-i string] [-r
string] [-s {password | passphrase}] output-file
OPTIONS
-c cipher
Specifies the cipher to use to encrypt the output. Valid values are
des-cbc or DES-CBC.
-d Derives the public key from input-file and stores it in output-file.
-g key-type [:size]
Generates a key of type key-type. You can also specify the size of the
key. Valid values for key-type are rsa and dsa.
-i string
Specifies setting the subject field in the key, if supported.
- format
Specifies the format of the output key. Valid values are:
ssh Encrypted SSH proprietary private key
ssh1 Encrypted SSH client version 1 RSA key
ssh2 Encrypted SSH client version 2 RSA key
x509 Plain text private key (X.509) as in PKCS#11
pkcs1 Plain text PKCS#1 private key
pkcs8 Plain text PKCS#8 private key
pkcs8s Encrypted PKCS#8 private key
-r string
Specifies setting the comment field in the key, if supported.
-s {password|passphrase}
Specifies either the password or passphrase to use with the output key.
The password parameter can consist of alphanumeric characters only.
-S {password|passphrase}
Specifies either the password or passphrase to use with the input key.
The password parameter can consist of alphanumeric characters only.
DESCRIPTION
The ipsec_keytool command generates RSA and DSA keys for use by other IPsec
tools. In addition, the command converts existing keys from one format to
another.
This command and other related certificate commands provided in this IPsec
implementation are intended for testing purposes only. They are not
intended to provide a complete public-key certificate infrastructure.
You must precede the path name to the different files with the following
formatting characters, delimited by colons as follows:
:p: Privacy-Encoded-Mail (PEM) format
The file is encoded as a Base64-encoded binary.
:b: Binary (DER-encoded) format
The file is encoded in accordance with the Distinguished Encoding
Rules (DER) of ASN.1.
:h: HEXL format
The file is encoded as a hexadecimal string. Each line has the
following form:
xxxxxxxx: yyyy yyyy yyyy yyyy yyyy yyyy yyyy yyyy
In this form, xxxxxxxx is the hexadecimal offset of the data at the
beginning of the line and yyyy yyyy yyyy yyyy yyyy yyyy yyyy yyyy
is up to 16 bytes of hexadecimal data.
The ipsec_keytool command automatically detects the input key format.
Some key types cannot be converted to another key type. For example, you
cannot convert a DSA key stored in ssh2 format to a pkcs1 format. Only RSA
keys can be stored in the pkcs1 format.
Note
Do not encrypt private keys when using them with the ipsecd daemon.
EXAMPLES
1. To create a 768-bit DSA key in SSH format in a HEXL file, enter:
# ipsec_keytool -g dsa:768 -o ssh :h:dsa768_ssh.hex
2. To create a 1024-bit RSA key in PKCS#1 format in a binary file, enter:
# ipsec_keytool -g rsa:1024 -o pkcs1 :b:rsa1024_pkcs1.bin
3. To convert the 1024-bit RSA key to a PKCS#8 format, enter:
# ipsec_keytool -o pkcs8 :b:rsa1024_pkcs1.bin :b:rsa1024_pkcs8.bin
4. To convert the 1024-bit RSA key in PKCS#1 format to an encrypted
PKCS#8 format, enter:
# ipsec_keytool -o pkcs8s -c des-cdc :b:rsa1024_pkcs1.bin \
:b:rsa1024_pkcs8s.bin
5. To convert the 768-bit DSA key file from a HEXL file to a binary file
, enter:
# ipsec_keytool :h:dsa768_ssh.hex :b:dsa768_ssh.bin
6. To derive a public key from the 1024-bit RSA key, enter:
# ipsec_keytool -d :b:rsa1024_pkcs8.bin :b:rsa1024_pkcs8_pub.bin
SEE ALSO
Commands: ipsec_certview(8), ipsec_convert(8), ipsec_keypaircheck(8)
|
Index for
Section 8 |
|
|
Alphabetical
listing for I |
|
 |
Top of
page |
|