ssh-keygen
Generates, manages and converts authentication keys for ssh
Options
Name | Description |
---|---|
-A | For each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment |
-a [rounds] | When saving a private key, this option specifies the number of KDF |
-B | Show the bubblebabble digest of specified private or public key file |
-b <bits> | Specifies the number of bits in the key to create |
-C <comment> | Provides a new comment |
-c | Requests changing the comment in the private and public key files |
-D <pkcs11> | Download the public keys provided by the PKCS#11 |
-E <fingerprint_hash> | Specifies the hash algorithm used |
-e | Read a OpenSSH key file and print to stdout |
-F <hostname> | Search for the specified hostname (with optional port number) |
-f <filename> | Specifies the filename of the key file |
-g | Use generic DNS format when printing fingerprint resource records |
-H | Hash a known_hosts file |
-h | Create a host certificate instead of a user |
-I <certificate_identity> | Specify the key identity when signing a public key |
-i | Read an unencrypted private (or public) key file |
-K | Download resident keys from a FIDO authenticator |
-k | Generate a KRL file |
-L | Generate a KRL file |
-l | Show fingerprint of specified public key file |
-M <command> | Use for Moduli generation |
-m <key_format> | Specify a key format for key generation |
-N <new_passphrase> | Provides the new passphrase |
-n <principals> | Specify one or more principals (user or host names) to be included in a certificate when signing a key |
-O <option> |
|
-P <passphrase> | Provides the (old) passphrase |
-p | Requests changing the passphrase of a private key file instead of creating a new private key |
-Q | Test whether keys have been revoked in a KRL |
-q | Silence ssh-keygen |
-R <hostname> | Removes all keys belonging to hostname |
-r <hostname> | Print the SSHFP fingerprint resource record named hostname for the specified public key file |
-s <ca_key> | Certify (sign) a public key using the specified CA key |
-t <command> | Specifies the type of key to create |
-U | When used in combination with -s, this option indicates that a CA key resides in a ssh-agent(1) |
-u | Update a KRL |
-V <validity_interval> | Specify a validity interval when signing a certificate |
-v |
|
-w <provider> | Specifies a path to a library that will be used when creating FIDO authenticator-hosted keys |
-Y <command...> | Multiple functions: find principals, match principals, check novalidate, sign, verify |
-y | Read a private OpenSSH format file and print an OpenSSH public key to stdout |
-Z <cipher> | Specifies the cipher to use for encryption when writing an OpenSSH-format private key file |
-z <serial_number> | Specifies a serial number to be embedded in the certificate to distinguish this certificate from others from the same CA |