3 rsagen, rsafill, asn12rsa, rsa2pub, rsa2ssh, rsa2x509, rsa2csr \- generate and format rsa keys
59 Plan 9 represents an RSA key as an attribute-value pair list
60 prefixed with the string
62 this is the generic key format used by
64 A full RSA private key has the following attributes:
73 the number of significant bits in
77 the encryption exponent
86 the decryption exponent
94 .B "!kp\fR, \fL!kq\fR, \fL!c2
95 parameters derived from the other attributes, cached to speed decryption
98 All the numbers are in hexadecimal except
101 An RSA public key omits the attributes beginning with
103 A key may have other attributes as well (for example, a
105 attribute identifying how this key is typically used),
106 but to these utilities such attributes are merely comments.
108 For example, a very small (and thus insecure) private key and corresponding
112 key proto=rsa size=8 ek=7 n=8F !dk=67 !p=B !q=D !kp=3 !kq=7 !c2=6
113 key proto=rsa size=8 ek=7 n=8F
116 Note that the order of the attributes does not matter.
119 prints a randomly generated RSA private key
128 is specified, it is printed between
134 is a sequence of attribute-value comments describing the key.
143 attributes if they are missing,
144 and prints a full key.
147 reads an RSA private key stored as ASN.1
148 encoded in the binary Distinguished Encoding Rules (DER)
149 and prints a Plan 9 RSA key,
155 ASN.1/DER is a popular key format on Unix and Windows;
156 it is often encoded in text form using the Privacy Enhanced Mail (PEM) format
157 in a section labeled as an
164 auth/pemdecode 'RSA PRIVATE KEY' | auth/asn12rsa
167 extracts the key section from a textual ASN.1/DER/PEM key
168 into binary ASN.1/DER format and then
169 converts it to a Plan 9 RSA key.
172 reads a Plan 9 RSA public or private key,
173 removes the private attributes, and prints the resulting public key.
174 Comment attributes are preserved.
177 reads a Plan 9 RSA public or private key and prints the public portion
178 in the format used by SSH2. The
180 option will set the comment.
183 reads a Plan 9 RSA private key and writes a self-signed X.509 certificate
184 encoded in ASN.1/DER format to standard output.
185 (Note that ASN.1/DER X.509 certificates are different from ASN.1/DER private keys).
186 The certificate uses the current time as its start time and expires
191 It contains the public half of the key
194 as the issuer/subject string (also known as a ``Distinguished Name'').
195 This info is typically in the form:
198 C=US ST=NJ L=07974 O=Lucent OU='Bell Labs' CN=G.R.Emlin
201 One can append further Distinguished Names, DNS Names and
202 E-Mail addresses as a ``Subject Alternative Name'' separated
203 with a comma after the main subject.
205 The X.509 ASN.1/DER format is often encoded in text using a PEM section
207 .RB `` CERTIFICATE .''
211 auth/rsa2x509 'C=US OU=''Bell Labs''' file |
212 auth/pemencode CERTIFICATE
215 generates such a textual certificate.
216 Applications that serve TLS-encrypted sessions (for example,
221 expect certificates in ASN.1/DER/PEM format.
223 The Plan 9 RSA private key needs to be loaded into factotum
224 for TLS server applications. It is recommended to put the key into
226 avoiding it being stored unencrypted on the filesystem.
231 and a RSA private key and outputs a signing request in ASN.1 format.
233 Generate a fresh key and use it to start a TLS-enabled web server:
236 auth/rsagen -t 'service=tls owner=*' >key
237 auth/rsa2x509 'C=US CN=*.cs.bell-labs.com' key |
238 auth/pemencode CERTIFICATE >cert
239 cat key >/mnt/factotum/ctl
240 ip/httpd/httpd -c cert
243 Generate a fresh key and configure a remote Unix system to
244 allow use of that key for logins:
247 auth/rsagen -t 'service=ssh' >key
248 auth/rsa2ssh key | ssh unix 'cat >>.ssh/authorized_keys'
249 cat key >/mnt/factotum/ctl
253 Convert a private key in PEM format (as generated by OpenSSL)
254 and load it into factotum:
257 auth/pemdecode 'PRIVATE KEY' key.pem |
258 auth/asn12rsa -t 'service=tls' >/mnt/factotum/ctl
261 Generate a certificate signing request (CSR) in PEM format:
264 auth/rsa2csr 'CN=example.com' key |
265 auth/pemencode 'CERTIFICATE REQUEST'
273 There are too many key formats.