rsagen, rsafill, asn12rsa, rsa2pub, rsa2ssh, rsa2x509, rsa2csr
– generate and format rsa keys|
rsagen [ –b nbits ] [ –t tag ] |
rsafill [ file ]
asn12rsa [ –t tag ] [ file ]
rsa2pub [ file ]
rsa2ssh [ –2 ] [ –c comment ] [ file ]
rsa2x509 [ –e expiretime ] certinfo [ file ]
rsa2csr subject [ file ]
Plan 9 represents an RSA key as an attribute–value pair list prefixed
with the string key; this is the generic key format used by factotum(4).
A full RSA private key has the following attributes:|
proto must be rsa
size the number of significant bits in n
ek the encryption exponent
n the product of !p and !q
!dk the decryption exponent
!p a large prime
!q another large prime
!kp, !kq, !c2
For example, a very small (and thus insecure) private key and
corresponding public key might be:
Rsagen prints a randomly generated RSA private key whose n has exactly nbits (default 2048) significant bits. If tag is specified, it is printed between key and proto=rsa; typically, tag is a sequence of attribute–value comments describing the key.
Rsafill reads a private key, recomputes the !kp, !kq, and !c2 attributes if they are missing, and prints a full key.
Asn12rsa reads an RSA private key stored as ASN.1 encoded in the
binary Distinguished Encoding Rules (DER) and prints a Plan 9
RSA key, inserting tag exactly as rsagen does. ASN.1/DER is a
popular key format on Unix and Windows; it is often encoded in
text form using the Privacy Enhanced Mail (PEM) format in a
section labeled as an ``RSA PRIVATE KEY.'' The command:
Rsa2pub reads a Plan 9 RSA public or private key, removes the private attributes, and prints the resulting public key. Comment attributes are preserved.
Rsa2ssh reads a Plan 9 RSA public or private key and prints the public portion in the format used by SSH: three space–separated decimal numbers size, ek, and n. The –2 option will change the output to SSH2 RSA public key format. The –c option will set the comment. For compatibility with external SSH implementations, the public keys in /sys/lib/ssh/keyring and $home/lib/keyring are stored in this format.
Rsa2x509 reads a Plan 9 RSA private key and writes a self–signed
X.509 certificate encoded in ASN.1/DER format to standard output.
(Note that ASN.1/DER X.509 certificates are different from ASN.1/DER
private keys). The certificate uses the current time as its start
time and expires expiretime seconds (default 3
years) later. It contains the public half of the key and includes
certinfo as the issuer/subject string (also known as a ``Distinguished
Name''). This info is typically in the form:
The X.509 ASN.1/DER format is often encoded in text using a PEM
section labeled as a ``CERTIFICATE.'' The command:
The Plan 9 RSA private key needs to be loaded into factotum for TLS server applications. It is recommended to put the key into secstore(1), avoiding it being stored unencrypted on the filesystem.
Rsa2csr takes the subject and a RSA private key and outputs a
signing request in ASN.1 format.
Generate a fresh key and use it to start a TLS–enabled web server:|
There are too many key formats.|