Provided by: libreswan_3.32-3ubuntu3_amd64 bug

NAME
       ipsec_newhostkey - generate a new raw RSA authentication key for a host


SYNOPSIS

       ipsec newhostkey [[--quiet] | [--verbose]] [--nssdirnssdir] [--password password] [--bits bits]
             [--seeddev device] [--hostname hostname] [--output filename]


DESCRIPTION
       newhostkey generates an RSA public/private key pair suitable for authenticating this host is generated
       and stored in the NSS database.

       See ipsec_showhostkey(8) for how to extract the public key from the NSS database.

   Output Options
       --output filename
           The --output option specifies an ipsec.secrets formatted file (see ipsec.secrets(5)). to store the
           public key information. If the file does not exist, it is created under umask 077. If the file
           already exists and is non-empty, a warning message about that is written to standard error, and the
           output is appended to the file.

       --quiet
           The --quiet option suppresses both the rsasigkey narrative and the existing-file warning message.

       --nssdir nssdir
           The --nssdir option specifies the NSS DB directory where the certificate key, and modsec databases
           reside (default /var/lib/ipsec/nss)

       --password password
           The --password option specifies a module authentication password that may be required if FIPS mode is
           enabled.

       --bits bits
           The --bits option specifies the number of bits in the RSA key; the current default is a random
           (multiple of 16) value between 3072 and 4096. The minimum allowed is 2192.

       --seeddev device
           The --seeddev is used to specify the random device (default /dev/random used to seed the crypto
           library RNG.

       --hostname hostname
           The --hostname option is passed through to rsasigkey to tell it what host name to label the output
           with (via its --hostname option).


FILES
       /dev/random, /dev/urandom


SEE ALSO
       ipsec_rsasigkey(8), ipsec_showhostkey(8), ipsec.secrets(5)


HISTORY
       Originally written for the Linux FreeS/WAN project <https://www.freeswan.org> by Henry Spencer. Updated
       by Paul Wouters


BUGS
       As with rsasigkey, the run time is difficult to predict, since depletion of the system's randomness pool
       can cause arbitrarily long waits for random bits for seeding the NSS library, and the prime-number
       searches can also take unpredictable (and potentially large) amounts of CPU time. See ipsec_rsasigkey(8)
       .

       A higher-level tool that could handle the clerical details of changing to a new key would be helpful.


AUTHOR
       Paul Wouters
           placeholder to suppress warning

libreswan                                          06/21/2021                                IPSEC_NEWHOSTKEY(8)