diff options
author | Damien Miller <djm@mindrot.org> | 2010-08-05 13:05:31 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-08-05 13:05:31 +1000 |
commit | 757f34e051d59995b7225e5c08c70f7f54019ae6 (patch) | |
tree | dbfe4068f3fbbfbf75c6b8dd38226d46a55cbad2 /ssh-keygen.1 | |
parent | 5458c4dd138a4ca14ad5d1d1c2da9acff7d909d6 (diff) | |
download | openssh-git-757f34e051d59995b7225e5c08c70f7f54019ae6.tar.gz |
- djm@cvs.openbsd.org 2010/08/04 06:07:11
[ssh-keygen.1 ssh-keygen.c]
Support CA keys in PKCS#11 tokens; feedback and ok markus@
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c4464878..9acd8f8c 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.97 2010/07/15 21:20:38 schwarze Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.98 2010/08/04 06:07:11 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -37,7 +37,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 15 2010 $ +.Dd $Mdocdate: August 4 2010 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -215,6 +215,11 @@ the passphrase if the key has one, and for the new comment. .It Fl D Ar pkcs11 Download the RSA public keys provided by the PKCS#11 shared library .Ar pkcs11 . +When used in combination with +.Fl s , +this option indicates that a CA key resides in a PKCS#11 token (see the +.Sx CERTIFICATES +section for details). .It Fl e This option will read a private or public OpenSSH key file and print to stdout the key in one of the formats specified by the @@ -553,7 +558,17 @@ option: .Pp The host certificate will be output to .Pa /path/to/host_key-cert.pub . -In both cases, +.Pp +It is possible to sign using a CA key stored in a PKCS#11 token by +providing the token library using +.Fl D +and identifying the CA key by providing its public half as an argument +to +.Fl s : +.Pp +.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub +.Pp +In all cases, .Ar key_id is a "key identifier" that is logged by the server when the certificate is used for authentication. |