|
|
ipsec_keytool(8)
Contents
|
ipsec_keytool - Generate RSA and DSA keys, and convert
existing key formats
/usr/sbin/ipsec_keytool [-d] [-c cipher] [-i string] [-o
format] [-r string] [-s {password | passphrase}] [-S
{password | passphrase}] input-file output-file
/usr/sbin/ipsec_keytool -g key-type[:size] [-c cipher] [-i
string] [-r string] [-s {password | passphrase}] outputfile
Specifies the cipher to use to encrypt the output. Valid
values are des-cbc or DES-CBC. Derives the public key
from input-file and stores it in output-file. Generates a
key of type key-type. You can also specify the size of the
key. Valid values for key-type are rsa and dsa. Specifies
setting the subject field in the key, if supported. Specifies
the format of the output key. Valid values are:
Encrypted SSH proprietary private key Encrypted SSH client
version 1 RSA key Encrypted SSH client version 2 RSA key
Plain text private key (X.509) as in PKCS#11 Plain text
PKCS#1 private key Plain text PKCS#8 private key Encrypted
PKCS#8 private key Specifies setting the comment field in
the key, if supported. Specifies either the password or
passphrase to use with the output key. The password parameter
can consist of alphanumeric characters only. Specifies
either the password or passphrase to use with the
input key. The password parameter can consist of alphanumeric
characters only.
The ipsec_keytool command generates RSA and DSA keys for
use by other IPsec tools. In addition, the command converts
existing keys from one format to another.
This command and other related certificate commands provided
in this IPsec implementation are intended for testing
purposes only. They are not intended to provide a
complete public-key certificate infrastructure.
You must precede the path name to the different files with
the following formatting characters, delimited by colons
as follows: Privacy-Encoded-Mail (PEM) format
The file is encoded as a Base64-encoded binary.
Binary (DER-encoded) format
The file is encoded in accordance with the Distinguished
Encoding Rules (DER) of ASN.1. HEXL format
The file is encoded as a hexadecimal string. Each
line has the following form:
xxxxxxxx: yyyy yyyy yyyy yyyy yyyy yyyy yyyy yyyy
In this form, xxxxxxxx is the hexadecimal offset of
the data at the beginning of the line and yyyy yyyy
yyyy yyyy yyyy yyyy yyyy yyyy is up to 16 bytes of
hexadecimal data.
The ipsec_keytool command automatically detects the input
key format.
Some key types cannot be converted to another key type.
For example, you cannot convert a DSA key stored in ssh2
format to a pkcs1 format. Only RSA keys can be stored in
the pkcs1 format.
Note
Do not encrypt private keys when using them with the
ipsecd daemon.
To create a 768-bit DSA key in SSH format in a HEXL file,
enter: # ipsec_keytool -g dsa:768 -o ssh :h:dsa768_ssh.hex
To create a 1024-bit RSA key in PKCS#1 format in a binary
file, enter: # ipsec_keytool -g rsa:1024 -o pkcs1
:b:rsa1024_pkcs1.bin To convert the 1024-bit RSA key to a
PKCS#8 format, enter: # ipsec_keytool -o pkcs8
:b:rsa1024_pkcs1.bin :b:rsa1024_pkcs8.bin To convert the
1024-bit RSA key in PKCS#1 format to an encrypted PKCS#8
format, enter: # ipsec_keytool -o pkcs8s -c des-cdc
:b:rsa1024_pkcs1.bin \ :b:rsa1024_pkcs8s.bin To convert
the 768-bit DSA key file from a HEXL file to a binary file
, enter: # ipsec_keytool :h:dsa768_ssh.hex
:b:dsa768_ssh.bin To derive a public key from the 1024-bit
RSA key, enter: # ipsec_keytool -d :b:rsa1024_pkcs8.bin
:b:rsa1024_pkcs8_pub.bin
Commands: ipsec_certview(8), ipsec_convert(8), ipsec_keypaircheck(8)
ipsec_keytool(8)
[ Back ] | 