ipsec newhostkey [[--quiet ] | [--verbose ]] [--nssdirnssdir] [--password password] [--bits bits] [--curve curve] [--keytype rsa|ecdsa] [--seeddev device]
newhostkey generates an RSA public/private key pair suitable for authenticating this host is generated and stored in the NSS database.
See ipsec-showhostkey(8) for how to extract the public key from the NSS database.
--quiet
The --quiet option suppresses both
the rsasigkey narrative and
the existing-file warning message.
--nssdir /var/lib/ipsec/nss
The --nssdir option specifies the NSS DB
directory where the certificate key, and modsec databases reside
(default /var/lib/ipsec/nss)
--password password
The --password option specifies a
module authentication password
that may be required if FIPS mode is enabled.
--bits bits
The --bits option specifies the
number of bits in the RSA key; the current default is a
random (multiple of 16) value between 3072 and 4096. The
minimum allowed is 2192.
--curve curve
The --curve option specifies the named curve
used in the ECDSA key; the current default is secp256r1.
See ipsec-ecdsasigkey(8)
for the available curve names.
--keytype rsa|ecdsa
The --keytype option specifies the type of key,
which can either be rsa (RSA)
or ecdsa (ECDSA);
if omitted the current default is rsa.
--seeddev device
The --seeddev is used to specify the
random device (default /dev/random used
to seed the crypto library RNG.
Originally written for the Linux FreeS/WAN project <https://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters
As with rsasigkey, the run time is difficult to predict, since depletion of the system's randomness pool can cause arbitrarily long waits for random bits for seeding the NSS library, and the prime-number searches can also take unpredictable (and potentially large) amounts of CPU time. See ipsec-rsasigkey(8).