Provided by: libreswan_4.14-1ubuntu2_amd64 bug

NAME

       ipsec_newhostkey - generate a new raw RSA authentication key for a host

SYNOPSIS

       ipsec newhostkey [[--quiet] | [--verbose]] [--nssdirnssdir] [--password password]
             [--bits bits] [--curve curve] [--keytype rsa|ecdsa] [--seeddev device]

DESCRIPTION

       newhostkey generates an RSA public/private key pair suitable for authenticating this host
       is generated and stored in the NSS database.

       See ipsec_showhostkey(8) for how to extract the public key from the NSS database.

   Output Options
       --quiet
           The --quiet option suppresses both the rsasigkey narrative and the existing-file
           warning message.

       --nssdir nssdir
           The --nssdir option specifies the NSS DB directory where the certificate key, and
           modsec databases reside (default /var/lib/ipsec/nss)

       --password password
           The --password option specifies a module authentication password that may be required
           if FIPS mode is enabled.

       --bits bits
           The --bits option specifies the number of bits in the RSA key; the current default is
           a random (multiple of 16) value between 3072 and 4096. The minimum allowed is 2192.

       --curve curve
           The --curve option specifies the named curve used in the ECDSA key; the current
           default is secp256r1. See ipsec_ecdsasigkey(8) for the available curve names.

       --keytype rsa|ecdsa
           The --keytype option specifies the type of key, which can either be rsa (RSA) or ecdsa
           (ECDSA); if omitted the current default is rsa.

       --seeddev device
           The --seeddev is used to specify the random device (default /dev/random used to seed
           the crypto library RNG.

FILES

       /dev/random, /dev/urandom

SEE ALSO

       ipsec_rsasigkey(8), ipsec_showhostkey(8), ipsec.secrets(5)

HISTORY

       Originally written for the Linux FreeS/WAN project <https://www.freeswan.org> by Henry
       Spencer. Updated by Paul Wouters

BUGS

       As with rsasigkey, the run time is difficult to predict, since depletion of the system's
       randomness pool can cause arbitrarily long waits for random bits for seeding the NSS
       library, and the prime-number searches can also take unpredictable (and potentially large)
       amounts of CPU time. See ipsec_rsasigkey(8) .

AUTHOR

       Paul Wouters
           placeholder to suppress warning