3 rsagen, rsafill, asn12rsa, rsa2pub, rsa2ssh, rsa2x509, rsa2csr \- generate and format rsa keys
62 Plan 9 represents an RSA key as an attribute-value pair list
63 prefixed with the string
65 this is the generic key format used by
67 A full RSA private key has the following attributes:
76 the number of significant bits in
80 the encryption exponent
89 the decryption exponent
97 .B "!kp\fR, \fL!kq\fR, \fL!c2
98 parameters derived from the other attributes, cached to speed decryption
101 All the numbers are in hexadecimal except
104 An RSA public key omits the attributes beginning with
106 A key may have other attributes as well (for example, a
108 attribute identifying how this key is typically used),
109 but to these utilities such attributes are merely comments.
111 For example, a very small (and thus insecure) private key and corresponding
115 key proto=rsa size=8 ek=7 n=8F !dk=67 !p=B !q=D !kp=3 !kq=7 !c2=6
116 key proto=rsa size=8 ek=7 n=8F
119 Note that the order of the attributes does not matter.
122 prints a randomly generated RSA private key
131 is specified, it is printed between
137 is a sequence of attribute-value comments describing the key.
146 attributes if they are missing,
147 and prints a full key.
150 reads an RSA private key stored as ASN.1
151 encoded in the binary Distinguished Encoding Rules (DER)
152 and prints a Plan 9 RSA key,
158 ASN.1/DER is a popular key format on Unix and Windows;
159 it is often encoded in text form using the Privacy Enhanced Mail (PEM) format
160 in a section labeled as an
167 auth/pemdecode 'RSA PRIVATE KEY' | auth/asn12rsa
170 extracts the key section from a textual ASN.1/DER/PEM key
171 into binary ASN.1/DER format and then
172 converts it to a Plan 9 RSA key.
175 reads a Plan 9 RSA public or private key,
176 removes the private attributes, and prints the resulting public key.
177 Comment attributes are preserved.
180 reads a Plan 9 RSA public or private key and prints the public portion
181 in the format used by SSH: three space-separated decimal numbers
188 option will change the output to SSH2 RSA public key format. The
190 option will set the comment.
191 For compatibility with external SSH implementations, the public keys in
192 .B /sys/lib/ssh/keyring
195 are stored in this format.
198 reads a Plan 9 RSA private key and writes a self-signed X.509 certificate
199 encoded in ASN.1/DER format to standard output.
200 (Note that ASN.1/DER X.509 certificates are different from ASN.1/DER private keys).
201 The certificate uses the current time as its start time and expires
206 It contains the public half of the key
209 as the issuer/subject string (also known as a ``Distinguished Name'').
210 This info is typically in the form:
213 C=US ST=NJ L=07974 O=Lucent OU='Bell Labs' CN=G.R.Emlin
216 One can append further Distinguished Names, DNS Names and
217 E-Mail addresses as a ``Subject Alternative Name'' separated
218 with a comma after the main subject.
220 The X.509 ASN.1/DER format is often encoded in text using a PEM section
222 .RB `` CERTIFICATE .''
226 auth/rsa2x509 'C=US OU=''Bell Labs''' file |
227 auth/pemencode CERTIFICATE
230 generates such a textual certificate.
231 Applications that serve TLS-encrypted sessions (for example,
236 expect certificates in ASN.1/DER/PEM format.
238 The Plan 9 RSA private key needs to be loaded into factotum
239 for TLS server applications. It is recommended to put the key into
241 avoiding it being stored unencrypted on the filesystem.
246 and a RSA private key and outputs a signing request in ASN.1 format.
248 Generate a fresh key and use it to start a TLS-enabled web server:
251 auth/rsagen -t 'service=tls owner=*' >key
252 auth/rsa2x509 'C=US CN=*.cs.bell-labs.com' key |
253 auth/pemencode CERTIFICATE >cert
254 cat key >/mnt/factotum/ctl
255 ip/httpd/httpd -c cert
258 Generate a fresh key and configure a remote Unix system to
259 allow use of that key for logins:
262 auth/rsagen -t 'service=ssh' >key
263 auth/rsa2ssh key | ssh unix 'cat >>.ssh/authorized_keys'
264 cat key >/mnt/factotum/ctl
268 Convert a private key in PEM format (as generated by OpenSSL)
269 and load it into factotum:
272 auth/pemdecode 'PRIVATE KEY' key.pem |
273 auth/asn12rsa -t 'service=tls' >/mnt/factotum/ctl
276 Generate a certificate signing request (CSR) in PEM format:
279 auth/rsa2csr 'CN=example.com' key |
280 auth/pemencode 'CERTIFICATE REQUEST'
289 There are too many key formats.