ipsec_newhostkey - generate a new raw RSA authentication key for a host
newhostkey [[--quiet] | [--verbose]] [--nssdirnssdir]
[--password password] [--bits bits]
[--seeddev device] [--hostname hostname]
generates an RSA public/private key pair suitable for
authenticating this host is generated and stored in the NSS database.
(8) for how to extract the public key from the NSS
The --output option specifies an
ipsec.secrets formatted file (see ipsec.secrets(5)). to store
the public key information. If the file does not exist, it is created under
umask 077. If the file already exists and is non-empty, a warning
message about that is written to standard error, and the output is appended to
The --quiet option suppresses both the
rsasigkey narrative and the existing-file warning message.
The --nssdir option specifies the NSS
DB directory where the certificate key, and modsec databases reside (default
The --password option specifies a
module authentication password that may be required if FIPS mode is
The --bits option specifies the number
of bits in the RSA key; the current default is a random (multiple of 16) value
between 3072 and 4096. The minimum allowed is 2192.
The --seeddev is used to specify the
random device (default /dev/random used to seed the crypto library RNG.
The --hostname option is passed through
to rsasigkey to tell it what host name to label the output with (via
its --hostname option).
Originally written for the Linux FreeS/WAN project <
> by Henry Spencer. Updated by Paul Wouters
As with rsasigkey
, the run time is difficult to predict, since depletion
of the system's randomness pool can cause arbitrarily long waits for random
bits for seeding the NSS library, and the prime-number searches can also take
unpredictable (and potentially large) amounts of CPU time. See
A higher-level tool which could handle the clerical details of changing to a new
key would be helpful.
placeholder to suppress warning