pki --gen » History » Version 6

« Previous - Version 6/13 (diff) - Next » - Current version
Jiehan Zheng, 24.12.2012 09:22
The OpenSSL command line was wrong. There should be only one "-" for openssl arguments.

ipsec pki --gen


pki --gen [--type rsa|ecdsa] [--size bits] [--outform der|pem]

           --help     (-h)  show usage information
           --type     (-t)  type of key, default: rsa
           --size     (-s)  keylength in bits, default: rsa 2048, ecdsa 384
           --outform  (-f)  encoding of generated private key, default: der
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file


Generate a new RSA or ECDSA private key.


  • Generate a 3072 bit RSA private key
pki --gen --size 3072 > myKey.der
  • Generate a 256 bit ECDSA private key
pki --gen --type ecdsa --size 256 > myKey.der

Problems on Hosts with Low Entropy

If the gmp plugin is used to generate RSA private keys (the default) the key material is read from /dev/random (via the random plugin). Therefore the command may block if the entropy pool is empty. To avoid this either use a hardware random number generator to feed /dev/random or you can use OpenSSL (either via the openssl plugin or the command line) which is not as strict in regards to the quality of the key material (it also reads from /dev/urandom if necessary).

Since 5.0.1 it is also possible to configure the devices the random plugin uses in strongswan.conf (it was previously possible with ./configure options). Setting libstrongswan.plugins.random.random to /dev/urandom forces the plugin to treat bytes read from /dev/urandom as high grade random data, thus avoiding the blocking. Of course, this doesn't change the fact that the key material generated this way is of lower quality.


Generate a 2048 bit RSA private key with OpenSSL:

openssl genrsa -out myKey.pem 2048