]> Sep 18, 2009 pkcs11-keygen 8 BIND9 pkcs11-keygen generate RSA keys on a PKCS#11 device 2009 Internet Systems Consortium, Inc. ("ISC") pkcs11-keygen -b keysize -l label DESCRIPTION pkcs11-keygen causes a PKCS#11 device to generate a new RSA key pair with the specified and with bits of modulus. ARGUMENTS -P Set the new private key to be non-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non-extractable. -m module Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -s slot Open the session with the given PKCS#11 slot. The default is slot 0. -e Use a large exponent. -b keysize Create the key pair with bits of modulus. -l label Create key objects with the given label. This name must be unique. -i id Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number. -p PIN Specify the PIN for the device. If no PIN is provided on the command line, pkcs11-keygen will prompt for it. SEE ALSO pkcs11-list3 , pkcs11-destroy3 , dnssec-keyfromlabel3 , CAVEAT Some PKCS#11 providers crash with big public exponent. AUTHOR Internet Systems Consortium