diff options
| author | Damien Miller <djm@mindrot.org> | 2010-08-05 13:05:31 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-08-05 13:05:31 +1000 |
| commit | 757f34e051d59995b7225e5c08c70f7f54019ae6 (patch) | |
| tree | dbfe4068f3fbbfbf75c6b8dd38226d46a55cbad2 /ssh-keygen.1 | |
| parent | 5458c4dd138a4ca14ad5d1d1c2da9acff7d909d6 (diff) | |
- djm@cvs.openbsd.org 2010/08/04 06:07:11
[ssh-keygen.1 ssh-keygen.c]
Support CA keys in PKCS#11 tokens; feedback and ok markus@
Diffstat (limited to 'ssh-keygen.1')
| -rw-r--r-- | ssh-keygen.1 | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c4464878d..9acd8f8c9 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: ssh-keygen.1,v 1.97 2010/07/15 21:20:38 schwarze Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.98 2010/08/04 06:07:11 djm Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
| 4 | .\" | 4 | .\" |
| @@ -37,7 +37,7 @@ | |||
| 37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 39 | .\" | 39 | .\" |
| 40 | .Dd $Mdocdate: July 15 2010 $ | 40 | .Dd $Mdocdate: August 4 2010 $ |
| 41 | .Dt SSH-KEYGEN 1 | 41 | .Dt SSH-KEYGEN 1 |
| 42 | .Os | 42 | .Os |
| 43 | .Sh NAME | 43 | .Sh NAME |
| @@ -215,6 +215,11 @@ the passphrase if the key has one, and for the new comment. | |||
| 215 | .It Fl D Ar pkcs11 | 215 | .It Fl D Ar pkcs11 |
| 216 | Download the RSA public keys provided by the PKCS#11 shared library | 216 | Download the RSA public keys provided by the PKCS#11 shared library |
| 217 | .Ar pkcs11 . | 217 | .Ar pkcs11 . |
| 218 | When used in combination with | ||
| 219 | .Fl s , | ||
| 220 | this option indicates that a CA key resides in a PKCS#11 token (see the | ||
| 221 | .Sx CERTIFICATES | ||
| 222 | section for details). | ||
| 218 | .It Fl e | 223 | .It Fl e |
| 219 | This option will read a private or public OpenSSH key file and | 224 | This option will read a private or public OpenSSH key file and |
| 220 | print to stdout the key in one of the formats specified by the | 225 | print to stdout the key in one of the formats specified by the |
| @@ -553,7 +558,17 @@ option: | |||
| 553 | .Pp | 558 | .Pp |
| 554 | The host certificate will be output to | 559 | The host certificate will be output to |
| 555 | .Pa /path/to/host_key-cert.pub . | 560 | .Pa /path/to/host_key-cert.pub . |
| 556 | In both cases, | 561 | .Pp |
| 562 | It is possible to sign using a CA key stored in a PKCS#11 token by | ||
| 563 | providing the token library using | ||
| 564 | .Fl D | ||
| 565 | and identifying the CA key by providing its public half as an argument | ||
| 566 | to | ||
| 567 | .Fl s : | ||
| 568 | .Pp | ||
| 569 | .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub | ||
| 570 | .Pp | ||
| 571 | In all cases, | ||
| 557 | .Ar key_id | 572 | .Ar key_id |
| 558 | is a "key identifier" that is logged by the server when the certificate | 573 | is a "key identifier" that is logged by the server when the certificate |
| 559 | is used for authentication. | 574 | is used for authentication. |