pkcs11-keygen - generate keys on a PKCS#11 device
pkcs11-keygen {-a algorithm} [-b keysize] [-e] [-i id] [-m module] [-P]
[-p PIN] [-q] [-S] [-s slot] {label}
PKCS11-KEYGEN(8) BIND9 PKCS11-KEYGEN(8)
NAME
pkcs11-keygen - generate keys on a PKCS#11 device
SYNOPSIS
pkcs11-keygen {-a algorithm} [-b keysize] [-e] [-i id] [-m module] [-P]
[-p PIN] [-q] [-S] [-s slot] {label}
DESCRIPTION
pkcs11-keygen causes a PKCS#11 device to generate a new key pair with
the given label (which must be unique) and with keysize bits of prime.
ARGUMENTS
-a algorithm
Specify the key algorithm class: Supported classes are RSA, DSA,
DH, and ECC. In addition to these strings, the algorithm can be
specified as a DNSSEC signing algorithm that will be used with this
key; for example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256
maps to ECC. The default class is "RSA".
-b keysize
Create the key pair with keysize bits of prime. For ECC keys, the
only valid values are 256 and 384, and the default is 256.
-e
For RSA keys only, use a large exponent.
-i id
Create key objects with id. The id is either an unsigned short 2
byte or an unsigned long 4 byte number.
-m module
Specify the PKCS#11 provider module. This must be the full path to
a shared library object implementing the PKCS#11 API for the
device.
-P
Set the new private key to be non-sensitive and extractable. The
allows the private key data to be read from the PKCS#11 device. The
default is for private keys to be sensitive and non-extractable.
-p PIN
Specify the PIN for the device. If no PIN is provided on the
command line, pkcs11-keygen will prompt for it.
-q
Quiet mode: suppress unnecessary output.
-S
For Diffie-Hellman (DH) keys only, use a special prime of 768, 1024
or 1536 bit size and base (aka generator) 2. If not specified, bit
size will default to 1024.
-s slot
Open the session with the given PKCS#11 slot. The default is slot
0.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+---------------+------------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+------------------+
|Availability | network/dns/bind |
+---------------+------------------+
|Stability | Uncommitted |
+---------------+------------------+
SEE ALSO
pkcs11-destroy(8), pkcs11-list(8), pkcs11-tokens(8), dnssec-
keyfromlabel(8)
AUTHOR
Internet Systems Consortium, Inc.
COPYRIGHT
Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
NOTES
This software was built from source available at
https://github.com/oracle/solaris-userland. The original community
source was downloaded from
http://ftp.isc.org/isc/bind9/9.10.6-P1/bind-9.10.6-P1.tar.gz
Further information about this software can be found on the open source
community website at http://www.isc.org/software/bind/.
ISC 2014-01-15 PKCS11-KEYGEN(8)