Provided by: openswan_2.6.23+dfsg-1ubuntu1_i386
ipsec newhostkey - generate a new raw RSA authentication key for a host
ipsec newhostkey [[--quiet] | [--verbose]] [--bits bits]
[--hostname hostname] --output filename
newhostkey outputs (into filename, which can be ´-´ for standard
output) an RSA private key suitable for this host, in
/etc/ipsec.secrets format (see ipsec.secrets(5)) using the --quiet
option per default.
The --output option is mandatory. The specified filename is created
under umask 077 if nonexistent; if it already exists and is non-empty,
a warning message about that is sent to standard error, and the output
is appended to the file.
The --quiet option suppresses both the rsasigkey narrative and the
existing-file warning message.
The --bits option specifies the number of bits in the key; the current
default is 2192 and we do not recommend use of anything shorter unless
unusual constraints demand it.
The --hostname option is passed through to rsasigkey to tell it what
host name to label the output with (via its --hostname option).
The output format is that of rsasigkey, with bracketing added to
complete the ipsec.secrets format. In the usual case, where
ipsec.secrets contains only the hostânewhostkey is sufficient as a
complete ipsec.secrets file.
Written for the Linux FreeS/WAN project <http://www.freeswan.org> by
As with rsasigkey, the run time is difficult to predict, since
depletion of the systemâipsec_rsasigkey(8) for some typical performance
A higher-level tool which could handle the clerical details of changing
to a new key would be helpful.
The requirement for --output is a blemish, but private keys are
extremely sensitive information and unusual precautions seem justified.