ipsec_keytool(8)ipsec_keytool(8)NAMEipsec_keytool - Generate RSA and DSA keys, and convert existing key
formats
SYNOPSIS
/usr/sbin/ipsec_keytool [-d] [-c cipher] [-i string] [-o format] [-r
string] [-s {password | passphrase}] [-S {password | passphrase}]
input-file output-file
/usr/sbin/ipsec_keytool -g key-type[:size] [-c cipher] [-i string] [-r
string] [-s {password | passphrase}] output-file
OPTIONS
Specifies the cipher to use to encrypt the output. Valid values are
des-cbc or DES-CBC. Derives the public key from input-file and stores
it in output-file. Generates a key of type key-type. You can also
specify the size of the key. Valid values for key-type are rsa and dsa.
Specifies setting the subject field in the key, if supported. Speci‐
fies the format of the output key. Valid values are: Encrypted SSH pro‐
prietary private key Encrypted SSH client version 1 RSA key Encrypted
SSH client version 2 RSA key Plain text private key (X.509) as in
PKCS#11 Plain text PKCS#1 private key Plain text PKCS#8 private key
Encrypted PKCS#8 private key Specifies setting the comment field in the
key, if supported. Specifies either the password or passphrase to use
with the output key. The password parameter can consist of alphanumeric
characters only. Specifies either the password or passphrase to use
with the input key. The password parameter can consist of alphanumeric
characters only.
DESCRIPTION
The ipsec_keytool command generates RSA and DSA keys for use by other
IPsec tools. In addition, the command converts existing keys from one
format to another.
This command and other related certificate commands provided in this
IPsec implementation are intended for testing purposes only. They are
not intended to provide a complete public-key certificate infrastruc‐
ture.
You must precede the path name to the different files with the follow‐
ing formatting characters, delimited by colons as follows: Privacy-
Encoded-Mail (PEM) format
The file is encoded as a Base64-encoded binary. Binary (DER-
encoded) format
The file is encoded in accordance with the Distinguished Encod‐
ing Rules (DER) of ASN.1. HEXL format
The file is encoded as a hexadecimal string. Each line has the
following form:
xxxxxxxx: yyyy yyyy yyyy yyyy yyyy yyyy yyyy yyyy
In this form, xxxxxxxx is the hexadecimal offset of the data at
the beginning of the line and yyyy yyyy yyyy yyyy yyyy yyyy yyyy
yyyy is up to 16 bytes of hexadecimal data.
The ipsec_keytool command automatically detects the input key format.
Some key types cannot be converted to another key type. For example,
you cannot convert a DSA key stored in ssh2 format to a pkcs1 format.
Only RSA keys can be stored in the pkcs1 format.
Note
Do not encrypt private keys when using them with the ipsecd daemon.
EXAMPLES
To create a 768-bit DSA key in SSH format in a HEXL file, enter: #
ipsec_keytool-g dsa:768 -o ssh :h:dsa768_ssh.hex To create a 1024-bit
RSA key in PKCS#1 format in a binary file, enter: # ipsec_keytool-g
rsa:1024 -o pkcs1 :b:rsa1024_pkcs1.bin To convert the 1024-bit RSA key
to a PKCS#8 format, enter: # ipsec_keytool-o pkcs8
:b:rsa1024_pkcs1.bin :b:rsa1024_pkcs8.bin To convert the 1024-bit RSA
key in PKCS#1 format to an encrypted PKCS#8 format, enter: # ipsec_key‐
tool -o pkcs8s -c des-cdc :b:rsa1024_pkcs1.bin \ :b:rsa1024_pkcs8s.bin
To convert the 768-bit DSA key file from a HEXL file to a binary file ,
enter: # ipsec_keytool :h:dsa768_ssh.hex :b:dsa768_ssh.bin To derive a
public key from the 1024-bit RSA key, enter: # ipsec_keytool-d
:b:rsa1024_pkcs8.bin :b:rsa1024_pkcs8_pub.bin
SEE ALSO
Commands: ipsec_certview(8), ipsec_convert(8), ipsec_keypaircheck(8)ipsec_keytool(8)