keygen

This command generates a public-private key pair and a CSR (certificate signing request) for a server.

Syntax

Generates a key pair: keygen [{C | countryName} iso-code] [{L | localityName} locality] [{ST | stateOrProvinceName} state] [{O | organizationName} org] [{OU | organizationalUnitName} unit-name] {CN | commonName} server-name [key-type type] rsa {1024 | 2048 | 4096} [digest algorithm] [ecdsa-curve name] [gen-object] [object-name name] [gen-sscert] [days number-days] [file-name name] [config-file name] [export-key] [export-sscert] [password plaintext] [password-alias alias] [using-key name]

Parameters

{C | countryName} ISO-code

Optionally specifies the ISO two-character country identifier for the CSR.

{L | localityName} locality

Optionally specifies the city or town name for the CSR. Use a text string up to 64 characters in length. If the string contains spaces, enclose in double quotation marks.

{ST | stateOrProvinceName} state

Optionally specifies the unabbreviated state or province name for the CSR. Use a text string up to 64 characters in length. If the string contains spaces, enclose in double quotation marks.

{O | organizationName} organization

Optionally specifies the organization name for the CSR. Use a text string up to 64 characters in length. If the string contains spaces, enclose in double quotation marks.

{OU | organizationalUnitName} unit-name

Optionally specifies the organizational unit name for the CSR. Use a text string up to 64 characters in length. If the string contains spaces, enclose in double quotation marks.

{CN | commonName} server-name

Specifies the fully qualified domain name of the server for the CSR. Use a text string up to 64 characters in length.

key-type type

Indicates the type of key to generate. The following values are supported. The default value is RSA.

RSA: Generates RSA keys.
ECDSA: Generates Elliptic Curve Digital Signature Algorithm (ECDSA) keys.

rsa {1024 | 2048 | 4096}

Indicates the length of the generated RSA key. The default value is 1024. The generation of a 4096-bit key can take up to 30 seconds. This keyword is required only when the key type set by the key-type keyword is RSA.

digest algorithm

Specifies the hash algorithm of the generated RSA keys. The default value is sha256. This keyword is required only when the key type set by the key-type keyword is RSA and the gen-sscert keyword is set to on.

sha1: Uses SHA-1.
sha256: Uses SHA-256.

ecdsa-curve name

Specifies the elliptic curve to use to generate the ECDSA keys. The curves in the following table are supported. The default value is secp256r1. This keyword is required only when the key type is ECDSA.

Table 1. Supported elliptic curves
Curve name	Value	Reference
`sect163k1`	`1`	RFC 4492
`sect163r1`	`2`	RFC 4492
`sect163r2`	`3`	RFC 4492
`sect193r1`	`4`	RFC 4492
`sect193r2`	`5`	RFC 4492
`sect233k1`	`6`	RFC 4492
`sect233r1`	`7`	RFC 4492
`sect239k1`	`8`	RFC 4492
`sect283k1`	`9`	RFC 4492
`sect283r1`	`10`	RFC 4492
`sect409k1`	`11`	RFC 4492
`sect409r1`	`12`	RFC 4492
`sect571k1`	`13`	RFC 4492
`sect571r1`	`14`	RFC 4492
`secp160k1`	`15`	RFC 4492
`secp160r1`	`16`	RFC 4492
`secp160r2`	`17`	RFC 4492
`secp192k1`	`18`	RFC 4492
`secp192r1`	`19`	RFC 4492
`secp224k1`	`20`	RFC 4492
`secp224r1`	`21`	RFC 4492
`secp256k1`	`22`	RFC 4492
`secp256r1`	`23`	RFC 4492
`secp384r1`	`24`	RFC 4492
`secp521r1`	`25`	RFC 4492
`brainpoolP256r1`	`26`	RFC 7027
`brainpoolP384r1`	`27`	RFC 7027
`brainpoolP512r1`	`28`	RFC 7027

gen-object

Creates a key management object. To create a certificate management object use the gen-sscert property.

object-name name

Optionally specifies the names for the objects that are created by the gen-object property. If not specified, the value for the commonName property is used.

gen-sscert

Optionally creates a self-signed certificate in addition to the private key and CSR.

days number-days

Optionally specifies the validity period in days for the self-signed certificate. The default value is 365 days.

file-name name

Optionally specifies a common prefix for the generated private key, CSR, and self-signed certificate. If not specified, the value for the object-name property is used.

config-file name

Optionally, when generating a CSR or self-signed certificate, specifies the configuration file to read the DN and OIDs from. The configuration file must be in the OpenSSL CNF format. You must upload the configuration file to the temporary: directory.

When you specify the config-file parameter, you must specify the commonName, file-name, or object-name parameter.

export-key

Optionally creates a copy of the private key in the temporary: directory in addition to the one in the cert: directory.

export-sscert

Optionally creates a copy of the self-signed certificate in the temporary: directory in addition to the one in the cert: directory.

password plaintext

Optionally specifies the password to encrypt the private key when it is saved to a file.

password-alias alias

Optionally specifies a password alias in an existing password map file. This alias is used to decrypt the password.

using-key name

Optionally specifies an existing key object to sign the CSR and any self-signed certificate that is generated. The point of this parameter is to reissue a new CSR or self-signed certificate with the existing key material to do the signature.

Guidelines

CA policies can vary with regard to the amount of information that is required in the CSR. Check with the CA before generating the CSR to ensure that you provide sufficient information.

The config-file parameter specifies an OpenSSL CNF file. This file consists of sections that are delimited by a section name that is enclosed in square brackets. Each section can contain one or more properties. Some of these properties are allowed to exist outside of any section definition. As such, they are considered global. The command does not read global properties. The command reads the [req] section of the configuration file but actually reads only the following properties of the [req] section.

[req]
  [distinguished_name]
  [attributes]
  [req_extensions]
  [x509_extensions]
  string_mask

Each of these properties can define a section of its own with the exception of string_mask that must be either utf8only or nombstr.

The password or password-alias keyword is required only when a key file is password protected.

To use the password-alias keyword, you must have created an alias. Use the password-map command to create the password alias.

To delete a key, use the no key keyname command, see key.

Examples

Generate a private key and CSR for the specified server. Default conditions apply as follows.
- The private key (1024 bits in length) is saved as cert:sample-privkey.pem.
- The CSR is saved as temporary:sample.csr.
- The private key file is not password protected
```
# keygen C au L "South Melbourne" ST Victoria 
 O "DataPower Australia, Ltd." OU "Customer 
 Support" CN www.bob.williamswillow.com.au
```
Generate a private key and CSR for the specified server with the following options.
- The private key (2048 bits in length) is saved as cert:bob-privkey.pem.
- The CSR is saved as temporary:bob.csr.
- The private key file is password protected with the plaintext password didgeridoo.
```
# keygen C au L "South 
 Melbourne" ST Victoria 
 O "williamswillow Australia, Ltd." OU "Customer 
 Support" CN www.bob.williamswillow.com.au rsa 2048 out bob password 
 didgeridoo
```

Create a new password map and generate a host key to encrypt the plaintext password didgeridoo, and associate the alias WaltzingMatilda with the encrypted password. Generate a private key and CSR for the specified server with the following options.

The private key (2048 bits in length) is saved as cert:bob-privkey.pem.
The CSR is saved as temporary:bob.csr.
The private key file is password protected with the encrypted password didgeridoo.

# password-map
Please enter alias-name and plaintext password pairs
- Leading and trailing white space is removed
- Enter a blank alias name to finish
Alias-name: WaltzingMatilda
Plaintext password: didgeridoo
Alias-name:
SSL: password-map saved
# keygen C au
 L "South Melbourne" ST Victoria 
 O "williamswillow Australia, Ltd." OU "Customer Support"
 CN www.bob.williamswillow.com.au rsa 2048 out bob
 password-alias WaltzingMatilda