ipsec-showhostkey - show host's authentication key

       Paul Wouters

Libreswan 5.2                                      07/30/2025                               IPSEC-SHOWHOSTKEY(8)

       Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should be smart enough
       to run the existing key through rsasigkey with the --oldkey option, to generate a suitable output line.

Showhostkey outputs (on standard output) a public key suitable for this host, in the format specified,
       using the host key information stored in the NSS database.

       In general, since only the super-user can access the NSS database, only the super-user can display the
       public key information.

   CommonOptions--version
           Print the libreswan version, then exit.

       --verbose
           Increase the verbosity.

       --nssdirnssdir
           Specify the libreswan directory that contains the NSS database (default /var/lib/ipsec/nss).

       --passwordpassword
           Specify the password to use when accessing the NSS database (default contained in
           /etc/ipsec.d/nsspassword).

   ListOptions--list
           List the private keys.

       --dump
           List, with more details, the private keys.

   PublicKeyOptions--ckaidckaid
           Select the public key to display using the NSS ckaid.

       --rsaidrsaid
           Select the public key to display using the RSA key ID.

       --pem
           Print the selected public key in PEM encoded ASN.1 format.

       --left, --right
           Print the selected public key in ipsec.conf(5) format, as a leftrsasigkey or rightrsasigkey parameter
           respectively. For example, --left might give (with the key data trimmed down for clarity):

               leftrsasigkey=0sAQOF8tZ2...+buFuFn/

       --ipseckey
           Print the selected public key in a format suitable for use as opportunistic-encryption DNS IPSECKEY
           record format (RFC 4025). A gateway can be specified with the --gateway, which currently supports
           IPv4 and IPv6 addresses. For the host name, the value returned by gethostname is used, with a .
           appended.

           For example, --ipseckey--gateway10.11.12.13 might give (with the key data trimmed for clarity):

               IN    IPSECKEY  10 1 2 10.11.12.13  AQOF8tZ2...+buFuFn/"

       --gatewaygateway
           For --ipseckey, specify the gateway to display with the DNS IPSECKEY record.

       --precedenceprecedence
           For --ipseckey, specify the precedence to display with the DNS IPSECKEY record.

       A complaint about “no pubkey line found” indicates that the host has a key but it was generated with an
       old version of FreeS/WAN and does not contain the information that showhostkey needs.

       /var/lib/ipsec/nss, /etc/ipsec.d/nsspassword

       Written for the Linux FreeS/WAN project <https://www.freeswan.org> by Henry Spencer. Updated by Paul
       Wouters for the IPSECKEY format.

       ipsec-showhostkey - show host's authentication key

ipsec.conf(5), ipsec-rsasigkey(8), ipsec-newhostkey(8)

ipsecshowhostkey [--verbose] {--version | --list | --dump | --left | --right | --ipseckey | --pem}
                         [--ckaid ckaid | --rsaid rsaid]
                         [--gateway gateway] [--precedence precedence]
                         [--nssdir nssdir] [--password password]