Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")

 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
 copyright notice and this permission notice appear in all copies.

 THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.

 $Id: pkcs11-keygen.8,v 1.4 2009/10/06 04:40:14 tbox Exp $

 Title: pkcs11-keygen
 Author: 
 Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 Date: Sep 18, 2009
 Manual: BIND9
 Source: BIND9

 "PKCS11-KEYGEN" "8" "Sep 18, 2009" "BIND9" "BIND9"
 disable hyphenation
 disable justification (adjust text to left margin only)
 "NAME"
pkcs11-keygen - generate RSA keys on a PKCS#11 device

 "SYNOPSIS"
 14
pkcs11-keygen [-P] [-m module] [-s slot] [-e] {-b keysize} {-l label} [-i id] [-p PIN]

 "DESCRIPTION"

pkcs11-keygen
causes a PKCS#11 device to generate a new RSA key pair with the specified
label
and with
keysize
bits of modulus.

 "ARGUMENTS"

-P


Set the new private key to be non-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non-extractable.




-m module


Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.




-s slot


Open the session with the given PKCS#11 slot. The default is slot 0.




-e


Use a large exponent.




-b keysize


Create the key pair with
keysize
bits of modulus.




-l label


Create key objects with the given label. This name must be unique.




-i id


Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.




-p PIN


Specify the PIN for the device. If no PIN is provided on the command line,
pkcs11-keygen
will prompt for it.



 "SEE ALSO"

pkcs11-list(3),
pkcs11-destroy(3),
dnssec-keyfromlabel(3),

 "CAVEAT"

Some PKCS#11 providers crash with big public exponent.

 "AUTHOR"

Internet Systems Consortium

 "COPYRIGHT"
Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")