3 rsagen, rsafill, asn12rsa, rsa2asn1, rsa2pub, rsa2ssh, rsa2x509, rsa2csr, x5092pub \- generate and format rsa keys
74 Plan 9 represents an RSA key as an attribute-value pair list
75 prefixed with the string
77 this is the generic key format used by
79 A full RSA private key has the following attributes:
88 the number of significant bits in
92 the encryption exponent
101 the decryption exponent
109 .B "!kp\fR, \fL!kq\fR, \fL!c2
110 parameters derived from the other attributes, cached to speed decryption
113 All the numbers are in hexadecimal except
116 An RSA public key omits the attributes beginning with
118 A key may have other attributes as well (for example, a
120 attribute identifying how this key is typically used),
121 but to these utilities such attributes are merely comments.
123 For example, a very small (and thus insecure) private key and corresponding
127 key proto=rsa size=8 ek=7 n=8F !dk=67 !p=B !q=D !kp=3 !kq=7 !c2=6
128 key proto=rsa size=8 ek=7 n=8F
131 Note that the order of the attributes does not matter.
134 prints a randomly generated RSA private key
143 is specified, it is printed between
149 is a sequence of attribute-value comments describing the key.
158 attributes if they are missing,
159 and prints a full key.
162 reads an RSA private or public key stored as ASN.1
163 encoded in the binary Distinguished Encoding Rules (DER)
164 and prints a Plan 9 RSA key,
170 ASN.1/DER is a popular key format on Unix and Windows;
171 it is often encoded in text form using the Privacy Enhanced Mail (PEM) format
172 in a section labeled as an
179 auth/pemdecode 'RSA PRIVATE KEY' | auth/asn12rsa
182 extracts the key section from a textual ASN.1/DER/PEM key
183 into binary ASN.1/DER format and then
184 converts it to a Plan 9 RSA key.
187 reads a Plan 9 RSA public or private key,
188 removes the private attributes, and prints the resulting public key.
189 Comment attributes are preserved.
194 but outputs the public key in ASN.1/DER format.
197 flag a private key is read and encoded in ANS.1/DER format.
200 reads a Plan 9 RSA public or private key and prints the public portion
201 in the format used by SSH2. The
203 option will set the comment.
206 reads a Plan 9 RSA private key and writes a self-signed X.509 certificate
207 encoded in ASN.1/DER format to standard output.
208 (Note that ASN.1/DER X.509 certificates are different from ASN.1/DER private keys).
209 The certificate uses the current time as its start time and expires
214 It contains the public half of the key
217 as the issuer/subject string (also known as a ``Distinguished Name'').
218 This info is typically in the form:
221 C=US ST=NJ L=07974 O=Lucent OU='Bell Labs' CN=G.R.Emlin
224 One can append further Distinguished Names, DNS Names and
225 E-Mail addresses as a ``Subject Alternative Name'' separated
226 with a comma after the main subject.
228 The X.509 ASN.1/DER format is often encoded in text using a PEM section
230 .RB `` CERTIFICATE .''
234 auth/rsa2x509 'C=US OU=''Bell Labs''' file |
235 auth/pemencode CERTIFICATE
238 generates such a textual certificate.
239 Applications that serve TLS-encrypted sessions (for example,
244 expect certificates in ASN.1/DER/PEM format.
246 The Plan 9 RSA private key needs to be loaded into factotum
247 for TLS server applications. It is recommended to put the key into
249 avoiding it being stored unencrypted on the filesystem.
254 and a RSA private key and outputs a signing request in ASN.1 format.
258 converts a binary certificate (or certificate request when
264 and outputs the public key with a
266 attribute on standard output.
268 Generate a fresh key and use it to start a TLS-enabled web server:
271 auth/rsagen -t 'service=tls owner=*' >key
272 auth/rsa2x509 'C=US CN=*.cs.bell-labs.com' key |
273 auth/pemencode CERTIFICATE >cert
274 cat key >/mnt/factotum/ctl
275 ip/httpd/httpd -c cert
278 Generate a fresh key and configure a remote Unix system to
279 allow use of that key for logins:
282 auth/rsagen -t 'service=ssh' >key
283 auth/rsa2ssh key | ssh unix 'cat >>.ssh/authorized_keys'
284 cat key >/mnt/factotum/ctl
288 Convert a private key in PEM format (as generated by OpenSSL)
289 and load it into factotum:
292 auth/pemdecode 'PRIVATE KEY' key.pem |
293 auth/asn12rsa -t 'service=tls' >/mnt/factotum/ctl
296 Generate a certificate signing request (CSR) in PEM format:
299 auth/rsa2csr 'CN=example.com' key |
300 auth/pemencode 'CERTIFICATE REQUEST'
303 Generate a tinc host key:
306 auth/rsagen -t 'service=tinc role=client host=myhost' > myhost.key
307 auth/rsa2pub < myhost.key |
308 auth/rsa2asn1 | auth/pemencode 'RSA PUBLIC KEY' > hosts/myhost
316 There are too many key formats.