.TH RSA 8
.SH NAME
-rsagen, rsafill, asn12rsa, rsa2pub, rsa2ssh, rsa2x509 \- generate and format rsa keys
+rsagen, rsafill, asn12rsa, rsa2asn1, rsa2pub, rsa2ssh, rsa2x509, rsa2csr \- generate and format rsa keys
.SH SYNOPSIS
.B rsagen
[
.I file
]
.PP
-.B rsa2pub
+.B rsa2asn1
+[
+-a
+]
[
.I file
]
.PP
-.B rsa2ssh
+.B rsa2pub
[
-.B -2
+.I file
]
+.PP
+.B rsa2ssh
[
.B -c
.I comment
[
.I file
]
+.PP
+.B rsa2csr
+.I subject
+[
+.I file
+]
.SH DESCRIPTION
Plan 9 represents an RSA key as an attribute-value pair list
prefixed with the string
.B n
has exactly
.I nbits
-(default 1024)
+(default 2048)
significant bits.
If
.I tag
and prints a full key.
.PP
.I Asn12rsa
-reads an RSA private key stored as ASN.1
+reads an RSA private or public key stored as ASN.1
encoded in the binary Distinguished Encoding Rules (DER)
and prints a Plan 9 RSA key,
inserting
removes the private attributes, and prints the resulting public key.
Comment attributes are preserved.
.PP
+.I Rsa2asn1
+is like
+.I rsa2pub
+but outputs the public key in ASN.1/DER format.
+With the
+.I -a
+flag a private key is read and encoded in ANS.1/DER format.
+.PP
.I Rsa2ssh
reads a Plan 9 RSA public or private key and prints the public portion
-in the format used by SSH: three space-separated decimal numbers
-.BR size ,
-.BR ek ,
-and
-.BR n .
-The
-.B -2
-option will change the output to SSH2 RSA public key format. The
+in the format used by SSH2. The
.B -c
option will set the comment.
-For compatibility with external SSH implementations, the public keys in
-.B /sys/lib/ssh/keyring
-and
-.B $home/lib/keyring
-are stored in this format.
.PP
.I Rsa2x509
reads a Plan 9 RSA private key and writes a self-signed X.509 certificate
C=US ST=NJ L=07974 O=Lucent OU='Bell Labs' CN=G.R.Emlin
.EE
.LP
+One can append further Distinguished Names, DNS Names and
+E-Mail addresses as a ``Subject Alternative Name'' separated
+with a comma after the main subject.
+.LP
The X.509 ASN.1/DER format is often encoded in text using a PEM section
labeled as a
.RB `` CERTIFICATE .''
for TLS server applications. It is recommended to put the key into
.IR secstore (1),
avoiding it being stored unencrypted on the filesystem.
+.PP
+.I Rsa2csr
+takes the
+.I subject
+and a RSA private key and outputs a signing request in ASN.1 format.
.SH EXAMPLES
Generate a fresh key and use it to start a TLS-enabled web server:
.IP
auth/pemdecode 'PRIVATE KEY' key.pem |
auth/asn12rsa -t 'service=tls' >/mnt/factotum/ctl
.EE
+.PP
+Generate a certificate signing request (CSR) in PEM format:
+.IP
+.EX
+auth/rsa2csr 'CN=example.com' key |
+ auth/pemencode 'CERTIFICATE REQUEST'
+.EE
+.PP
+Generate a tinc host key:
+.IP
+.EX
+auth/rsagen -t 'service=tinc role=client host=myhost' > myhost.key
+auth/rsa2pub < myhost.key |
+ auth/rsa2asn1 | auth/pemencode 'RSA PUBLIC KEY' > hosts/myhost
+.EE
.SH SOURCE
.B /sys/src/cmd/auth
.SH "SEE ALSO
.IR factotum (4),
.IR pem (8),
-.IR ssh (1)
.SH BUGS
There are too many key formats.