Provided by: openswan_2.4.12+dfsg-1.3_i386
ipsec newhostkey - generate a new raw RSA authentication key for a host
ipsec newhostkey [--quiet | --verbose] [--bits bits]
[--hostname hostname] --output filename
newhostkey outputs (into filename, which can be ’-’ for standard
output) an RSA private key suitable for this host, in
/etc/ipsec.secrets format (see ipsec.secrets(5)) using the --quiet
option per default.
The --output option is mandatory. The specified filename is created
under umask 077 if nonexistent; if it already exists and is non-empty,
a warning message about that is sent to standard error, and the output
is appended to the file.
The --quiet option suppresses both the rsasigkey narrative and the
existing-file warning message.
The --bits option specifies the number of bits in the key; the current
default is 2192 and we do not recommend use of anything shorter unless
unusual constraints demand it.
The --hostname option is passed through to rsasigkey to tell it what
host name to label the output with (via its --hostname option).
The output format is that of rsasigkey, with bracketing added to
complete the ipsec.secrets format. In the usual case, where
s own private key, the output of newhostkey is sufficient as a complete ipsec.secrets file.
ipsec.secrets contains only the hostâ
Written for the Linux FreeS/WAN project <http://www.freeswan.org:
http://www.freeswan.org> by Henry Spencer.
As with rsasigkey, the run time is difficult to predict, since
s randomness pool can cause arbitrarily long waits for random bits, and the prime-number searches can also take unpre dictable (and potentially large) amounts of CPU time. See ipsec_rsasigkey(8) for some typical performance numbers.
depletion of the systemâ
A higher-level tool which could handle the clerical details of changing
to a new key would be helpful.
The requirement for --output is a blemish, but private keys are
extremely sensitive information and unusual precautions seem justified.