openarc-keygen - Man Page

openarc-keygen outputs a private key suitable for signing messages using openarc(8) and also outputs one of several representations of the associated public key, which can be used in various ways.

The output filenames are based on the selector and domain; the private key will end in ".key" and the public key will end in ".txt".

-b, --bits bits

Size of RSA key to generate. The default is 2048, which is also the recommended minimum size. Keys smaller than 1024 bits will almost certainly be rejected by downstream evaluators.

-d, --domain domain

The domain which will use this key for signing.

-D, --directory directory

Directory to store the keys in. If this is not specified the keys will be stored in the current working directory.

-f, --format {bare | testkey | text | zone}

Output format for the public key. bare outputs just the key itself, rendering many flags that this program accepts irrelevant. testkey outputs a line suitable for use in a file pointed to by the TestKeys option in openarc.conf(5). text outputs a standard textual representation of the key as specified in RFC 6376. zone is the default, and outputs a DNS record formatted for use in a zone file.

--fqdn

When outputting a DNS zone file entry, use the fully qualified domain name instead of a relative one.

--hash-algorithms algorithms

Tag the public key to indicate that it should only be used with this colon-separated list of algorithms.

-h, --help

Show a help message and exit.

--no-subdomains

Tag the public key to indicate that identities in a signature are required to be from this exact domain, not subdomains.

-n, --note note

Free-form text to include in the public key. This is intended for humans who are reading the record, and should be kept brief if it is used at all.

-r, --restrict

Tag the public key to indicate that it should only be used for email. There are not currently any other protocols that might use the key, so this does not have any practical effect.

-s, --selector selector

A name for the key.

-t, --type {rsa | ed25519}

Type of key to generate, defaults to RSA. Note that Ed25519 keys are not currently useful for ARC, nor are they usable by OpenARC. This option is for people who are generating DKIM keys for use with other software.

--testing

Tag the public key to indicate that this domain is testing its deployment of the protocol this key is used with. This is a signal that you are more interested in receiving feedback, it does not affect the handling of messages or signatures.

A suitable openssl executable must be available in the executing user's PATH.

You may want to use sudo(8) to run this command as the user that the openarc(8) daemon is configured to run as, so that the file permissions are correct.

sudo -u openarc openarc-keygen -D /etc/openarc/keys -d example.com -s 20241004

• openarc(8)

• openssl(1)

• RFC6376 - DomainKeys Identified Mail

• RFC8617 - The Authenticated Received Chain (ARC) Protocol