version 1.97, 2010/07/15 21:20:38 |
version 1.98, 2010/08/04 06:07:11 |
|
|
.It Fl D Ar pkcs11 |
.It Fl D Ar pkcs11 |
Download the RSA public keys provided by the PKCS#11 shared library |
Download the RSA public keys provided by the PKCS#11 shared library |
.Ar pkcs11 . |
.Ar pkcs11 . |
|
When used in combination with |
|
.Fl s , |
|
this option indicates that a CA key resides in a PKCS#11 token (see the |
|
.Sx CERTIFICATES |
|
section for details). |
.It Fl e |
.It Fl e |
This option will read a private or public OpenSSH key file and |
This option will read a private or public OpenSSH key file and |
print to stdout the key in one of the formats specified by the |
print to stdout the key in one of the formats specified by the |
|
|
.Pp |
.Pp |
The host certificate will be output to |
The host certificate will be output to |
.Pa /path/to/host_key-cert.pub . |
.Pa /path/to/host_key-cert.pub . |
In both cases, |
.Pp |
|
It is possible to sign using a CA key stored in a PKCS#11 token by |
|
providing the token library using |
|
.Fl D |
|
and identifying the CA key by providing its public half as an argument |
|
to |
|
.Fl s : |
|
.Pp |
|
.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub |
|
.Pp |
|
In all cases, |
.Ar key_id |
.Ar key_id |
is a "key identifier" that is logged by the server when the certificate |
is a "key identifier" that is logged by the server when the certificate |
is used for authentication. |
is used for authentication. |