Provided by: openswan_2.4.9+dfsg-1build1_i386 bug


       ipsec newhostkey - generate a new raw RSA authentication key for a host


       ipsec newhostkey [--quiet | --verbose] [--bits bits]
             [--hostname hostname] --output filename


       newhostkey  outputs  (into  filename,  which  can  be  ’-’ for standard
       output)   an   RSA   private   key   suitable   for   this   host,   in
       /etc/ipsec.secrets  format  (see  ipsec.secrets(5))  using  the --quiet
       option per default.

       The --output option is mandatory. The  specified  filename  is  created
       under  umask 077 if nonexistent; if it already exists and is non-empty,
       a warning message about that is sent to standard error, and the  output
       is appended to the file.

       The  --quiet  option  suppresses  both  the rsasigkey narrative and the
       existing-file warning message.

       The --bits option specifies the number of bits in the key; the  current
       default  is 2192 and we do not recommend use of anything shorter unless
       unusual constraints demand it.

       The --hostname option is passed through to rsasigkey to  tell  it  what
       host name to label the output with (via its --hostname option).

       The  output  format  is  that  of  rsasigkey,  with bracketing added to
       complete  the  ipsec.secrets  format.  In   the   usual   case,   where
s own private key, the output of newhostkey is sufficient as a complete ipsec.secrets file.
       ipsec.secrets contains only the hostâ


       /dev/random, /dev/urandom


       ipsec_rsasigkey(8), ipsec.secrets(5)


       Written  for  the  Linux  FreeS/WAN  project  <> by Henry Spencer.


       As with  rsasigkey,  the  run  time  is  difficult  to  predict,  since
s randomness pool can cause arbitrarily long waits for random bits, and the prime-number searches can also take unpre dictable (and potentially large) amounts of CPU time. See ipsec_rsasigkey(8) for some typical performance numbers.
       depletion of the systemâ

       A higher-level tool which could handle the clerical details of changing
       to a new key would be helpful.

       The requirement for  --output  is  a  blemish,  but  private  keys  are
       extremely sensitive information and unusual precautions seem justified.