Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
IPSEC_NEWHOSTKEY(8)	      Executable programs	   IPSEC_NEWHOSTKEY(8)

NAME
       ipsec_newhostkey	- generate a new raw RSA authentication	key for	a host

SYNOPSIS

       ipsec newhostkey	[[--quiet] | [--verbose]] [--nssdirnssdir]
	     [--password password] [--bits bits] [--curve curve]
	     [--keytype	rsa|ecdsa] [--seeddev device]

DESCRIPTION
       newhostkey generates an RSA public/private key pair suitable for
       authenticating this host	is generated and stored	in the NSS database.

       See ipsec_showhostkey(8)	for how	to extract the public key from the NSS
       database.

   Output Options
       --quiet
	   The --quiet option suppresses both the rsasigkey narrative and the
	   existing-file warning message.

       --nssdir	nssdir
	   The --nssdir	option specifies the NSS DB directory where the
	   certificate key, and	modsec databases reside	(default
	   /usr/local/etc/ipsec.d)

       --password password
	   The --password option specifies a module authentication password
	   that	may be required	if FIPS	mode is	enabled.

       --bits bits
	   The --bits option specifies the number of bits in the RSA key; the
	   current default is a	random (multiple of 16)	value between 3072 and
	   4096. The minimum allowed is	2192.

       --curve curve
	   The --curve option specifies	the named curve	used in	the ECDSA key;
	   the current default is secp256r1. See ipsec_ecdsasigkey(8) for the
	   available curve names.

       --keytype rsa|ecdsa
	   The --keytype option	specifies the type of key, which can either be
	   rsa (RSA) or	ecdsa (ECDSA); if omitted the current default is rsa.

       --seeddev device
	   The --seeddev is used to specify the	random device (default
	   /dev/random used to seed the	crypto library RNG.

FILES
       /dev/random, /dev/urandom

SEE ALSO
       ipsec_rsasigkey(8), ipsec_showhostkey(8), ipsec.secrets(5)

HISTORY
       Originally written for the Linux	FreeS/WAN project
       <https://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters

BUGS
       As with rsasigkey, the run time is difficult to predict,	since
       depletion of the	system's randomness pool can cause arbitrarily long
       waits for random	bits for seeding the NSS library, and the prime-number
       searches	can also take unpredictable (and potentially large) amounts of
       CPU time. See ipsec_rsasigkey(8)	.

AUTHOR
       Paul Wouters
	   placeholder to suppress warning

libreswan			  05/13/2025		   IPSEC_NEWHOSTKEY(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ipsec_newhostkey&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help