|
|
Up to PKI Utilities
|
keyMaker
|
 |
|
This program is used to generate RSA Public/Private Key-Pairs.
It generates a new User key by default, but it may be used also to
generate a Host Key (with the -H option) or a
Signing Certificate-Authority (CA) Key (with the --CA option).
A new key must be signed by a "Signing Key". The file containing this key is specified by the "-c" option. A "Signing Key" itself can be made using the "--CA" option, and it too must be signed by a higher-level "Signing Key". At the very top is a "Certificate-Authority (CA) Key" which is "self-signed". These are the Roots of Trust and must be protected diligently. The Private-Key of such a pair should never reside on a machine that is connected to the Internet! The Public-Key of the pair, however, must be distributed everywhere. In general, the higher the level of trust of a key-pair, the longer its Validity-Period. This is because the Public-Key of a "Signing Key" pair must be distributed widely to be of any use as a Trust Validater. Distribution takes time. Correspondingly, the longer a Key lives, the more care that must be taken to ensure the continued security of the Private-Key portion. Destroying the Private-Key portion is the best security that can be attained, but one has to sign a few "Signing Keys" with it first, for a practical effect.
SyntaxThis is a command-line utility.
Usage: keyMaker [options]
Long Options without arguments:
--help | -h -> output this help message
--version | -V -> version of the program.
Types of Keys to Generate:
--CA | -C new RSA KeyPair for Signing other keys
--host-key | -H <hostname> new RSA KeyPair for host
--local-key | -L new RSA KeyPair for local host
--user-key | -U new RSA KeyPair for current user<default>
This is also the way to generate generic Key-Pairs
--secret-key | -A new 256-bit AES key
Key Creation Parameters:
--colloquial | -n <name> colloquial name for new key
--n_modulus_bits | -m <mod_bits> number of modulus bits in new key
--n_exponent_bits | -e <exp_bits> number of exponent bits in new key
(defaults: mod_bits=1024, exp_bits=32)
--n_years | -y <(float)years> number of years of validity
(default=2.0 years)
--entroprize_iterations | -N <n_loops> number of Pass-Phrase hashing
iterations for hiding key<5000>
--encrypt-exportably -> hide Private-Key with Exportable DES2
--organizationName <info> identification of Key owner
--departmentName <info> identification of Key owner
--emailAddress <info> identification of Key owner
--address <info> identification of Key owner
--city <info> identification of Key owner
--state <info> identification of Key owner
--postalCode <info> identification of Key owner
--country <info> identification of Key owner
Explicit File handling Options:When using this program to sign other keys with a CA-key, you must specify the file which contains the CA Signing key. You can input the full pathname to this file, or you may specify its colloquial name, along with the Directories in which to search for it, (using the -I option). As a convenience, Administrators may generate new keys and sign them, all in one step, avoiding the CSR steps. Just include this option with the rest of the Key-Generation specifications. When generating a Top-Level CA key, it must be Self-Signed, as all new keys are. However, it does not get the diminutive appellation of "self" inserted into the name of the Public-Key file. One indicates that the CA-key being created should be a Top-Level CA-key by defining this option to point to "self".
--CA-file | -c <pathname> input filename for signing CA-Private-Key
"self" will save as a new Self-Signed, Top-Level CA-key.
Options for Translating Key-Formats:
--convert-to-PEM | -x <filename> from XDF to PEM, resigned
--convert-from-PEM | -X <filename> from PEM to XDF, resigned
--read-from-PEM | -T <filename> from (RS)PEM to XDF, but NOT resigned
--make-Cert-Request | -r <filename> from XDF to ASN-CERTIFICATE-REQUEST
in PEM, ASN.1 DER output format
--make-Real-Cert-Request | -R <filename> from XDF to
Real-Certificate-Signing-Request
--sign-key | -S <filename> sign Public-Key or Request (RSCSR,CSR)
--rebuild-public-key <privateKey-filename> rebuild the Public-Key from the
associated Private-Key
Options for saving additional Key-Formats:
--save-pem also save Public-Key as PEM-file
--save-rscsr save Public-Key as Real-Certificate-Signing-Request
--save-csr save Public-Key as ASN-CERTIFICATE-REQUEST
--save-self also save Public-Key, self-signed version;
this is always done unless Signing a key.
--skip-self skip saving self-signed version of Public-Key
--save-public save Public-Key along with RSCSR or CSR
For saving PEM formats, backward compatibility Options:
--use-UTCTime Force output to use only 2-digit Year (UTCTime) format
--backpedal-for-Netscape4 Force output to use UTCTime format
and Teletex-Strings instead of UTF-8.
Key Locations Options:
-d <dirname> common directory portion of output Keys filenames
-I <dirname> search directory for input Keys
Explicit File handling Options (rarely needed):
--basename | -b <filename> common portion of output filenames
--private-file | -P <pathname> output filename for Private-Key
--public-file | -p <pathname> output filename for Public-Key
--error-file | -E <pathname> output filename for errors
PurchasePrice: $ 100
Export RestrictionsBecause Encryption is restricted under U.S. Export Law, programs purchased to be used outside the United States must have encryption crippled. Because the security of the Private-Keys depends on using strong encryption, we just cannot sell it to non-US Customers at this time. Currently, only Customers within the United States may purchase this program. Sorry.
Download PackagesAfter you have purchased your License, you may go to the Download Page to copy the program package down to your computer. You must run the program package to extract the program and to activate it, using your License Number and Activation Code.Proceed to the Download Page. |
|
|
|
webmaster@HEPArts.com
Copyright © 2005 HEPArts, Inc. All Rights Reserved. |