Provided by: openswan_2.6.38-1_amd64 bug

NAME
       ipsec_newhostkey - generate a new raw RSA authentication key for a host


SYNOPSIS
       ipsec newhostkey [[--configdiranssdbdir] | [--password password]] [[--quiet] |
             [--verbose]] [--bits bits] [--hostname hostname] --output filename


DESCRIPTION
       newhostkey outputs (into filename, which can be ´-´ for standard output) an RSA private
       key suitable for this host, in /etc/ipsec.secrets format (see ipsec.secrets(5)) using the
       --quiet option per default.

       The --output option is mandatory. The specified filename is created under umask 077 if
       nonexistent; if it already exists and is non-empty, a warning message about that is sent
       to standard error, and the output is appended to the file.

       The --quiet option suppresses both the rsasigkey narrative and the existing-file warning
       message.

       When compiled with NSS support, --configdir specifies the nss configuration directory
       where the certificate key, and modsec databases reside. There is no default value, though
       /etc/ipsec.d might be sensible choice.

       When compiled with NSS support, --password specifies a module authentication password that
       may be required if FIPS mode is enabled

       The --bits option specifies the number of bits in the key; the current default is 2192 and
       we do not recommend use of anything shorter unless unusual constraints demand it.

       The --hostname option is passed through to rsasigkey to tell it what host name to label
       the output with (via its --hostname option).

       The output format is that of rsasigkey, with bracketing added to complete the
       ipsec.secrets format. In the usual case, where ipsec.secrets contains only the host’s
       own private key, the output of newhostkey is sufficient as a complete ipsec.secrets file.


FILES
       /dev/random, /dev/urandom


SEE ALSO
       ipsec_rsasigkey(8), ipsec.secrets(5)


HISTORY
       Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer.


BUGS
       As with rsasigkey, the run time is difficult to predict, since depletion of the system’s
       randomness pool can cause arbitrarily long waits for random bits, and the prime-number
       searches can also take unpre dictable (and potentially large) amounts of CPU time. See
       ipsec_rsasigkey(8) for some typical performance numbers.

       A higher-level tool which could handle the clerical details of changing to a new key would
       be helpful.

       The requirement for --output is a blemish, but private keys are extremely sensitive
       information and unusual precautions seem justified.

[FIXME: source]                             10/06/2010                           IPSEC_RANBITS(8)