ssh-keygen(1) - authentication key generation, management and conversion
-A      For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist, generate the
        host keys with the default key file path, an empty passphrase, default bits for the key type, and
        default comment.  This is used by system administration scripts to generate new host keys.
-a trials
        Specifies the number of primality tests to perform when screening DH-GEX candidates using the -T
-B      Show the bubblebabble digest of specified private or public key file.
-b bits
        Specifies the number of bits in the key to create.  For RSA keys, the minimum size is 768 bits and
        the default is 2048 bits.  Generally, 2048 bits is considered sufficient.  DSA keys must be exactly
        1024 bits as specified by FIPS 186-2.  For ECDSA keys, the -b flag determines they key length by
        selecting from one of three elliptic curve sizes: 256, 384 or 521 bits.  Attempting to use bit
        lengths other than these three values for ECDSA keys will fail.
-C comment
        Provides a new comment.
-c      Requests changing the comment in the private and public key files.  This operation is only
        supported for RSA1 keys.  The program will prompt for the file containing the private keys, for the
        passphrase if the key has one, and for the new comment.
-D pkcs11
        Download the RSA public keys provided by the PKCS#11 shared library pkcs11.  When used in
        combination with -s, this option indicates that a CA key resides in a PKCS#11 token (see the
        CERTIFICATES section for details).
-e      This option will read a private or public OpenSSH key file and print to stdout the key in one of
        the formats specified by the -m option.  The default export format is “RFC4716”.  This option
        allows exporting OpenSSH keys for use by other programs, including several commercial SSH
-F hostname
        Search for the specified hostname in a known_hosts file, listing any occurrences found.  This
        option is useful to find hashed host names or addresses and may also be used in conjunction with
        the -H option to print found keys in a hashed format.
-f filename
        Specifies the filename of the key file.
-G output_file
        Generate candidate primes for DH-GEX.  These primes must be screened for safety (using the -T
        option) before use.
-g      Use generic DNS format when printing fingerprint resource records using the -r command.
-H      Hash a known_hosts file.  This replaces all hostnames and addresses with hashed representations
        within the specified file; the original content is moved to a file with a .old suffix.  These
        hashes may be used normally by ssh and sshd, but they do not reveal identifying information should
        the file's contents be disclosed.  This option will not modify existing hashed hostnames and is
        therefore safe to use on files that mix hashed and non-hashed names.
-h      When signing a key, create a host certificate instead of a user certificate.  Please see the
        CERTIFICATES section for details.
-I certificate_identity
        Specify the key identity when signing a public key.  Please see the CERTIFICATES section for
-i      This option will read an unencrypted private (or public) key file in the format specified by the -m
        option and print an OpenSSH compatible private (or public) key to stdout.  This option allows
        importing keys from other software, including several commercial SSH implementations.  The default
        import format is “RFC4716”.
-L      Prints the contents of a certificate.
-l      Show fingerprint of specified public key file.  Private RSA1 keys are also supported.  For RSA and
        DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint.  If
        combined with -v, an ASCII art representation of the key is supplied with the fingerprint.
-M memory
        Specify the amount of memory to use (in megabytes) when generating candidate moduli for DH-GEX.
-m key_format
        Specify a key format for the -i (import) or -e (export) conversion options.  The supported key
        formats are: “RFC4716” (RFC 4716/SSH2 public or private key), “PKCS8” (PEM PKCS8 public key) or
        “PEM” (PEM public key).  The default conversion format is “RFC4716”.
-N new_passphrase
        Provides the new passphrase.
-n principals
        Specify one or more principals (user or host names) to be included in a certificate when signing a
        key.  Multiple principals may be specified, separated by commas.  Please see the CERTIFICATES
        section for details.
-O option
        Specify a certificate option when signing a key.  This option may be specified multiple times.
        Please see the CERTIFICATES section for details.  The options that are valid for user certificates

        clear   Clear all enabled permissions.  This is useful for clearing the default set of permissions
                so permissions may be added individually.
-P passphrase
        Provides the (old) passphrase.
-p      Requests changing the passphrase of a private key file instead of creating a new private key.  The
        program will prompt for the file containing the private key, for the old passphrase, and twice for
        the new passphrase.
-q      Silence ssh-keygen.
-R hostname
        Removes all keys belonging to hostname from a known_hosts file.  This option is useful to delete
        hashed hosts (see the -H option above).
-r hostname
        Print the SSHFP fingerprint resource record named hostname for the specified public key file.
-S start
        Specify start point (in hex) when generating candidate moduli for DH-GEX.
-s ca_key
        Certify (sign) a public key using the specified CA key.  Please see the CERTIFICATES section for
-T output_file
        Test DH group exchange candidate primes (generated using the -G option) for safety.
-t type
        Specifies the type of key to create.  The possible values are “rsa1” for protocol version 1 and
        “dsa”, “ecdsa” or “rsa” for protocol version 2.
-V validity_interval
        Specify a validity interval when signing a certificate.  A validity interval may consist of a
        single time, indicating that the certificate is valid beginning now and expiring at that time, or
        may consist of two times separated by a colon to indicate an explicit time interval.  The start
        time may be specified as a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format or a relative
        time (to the current time) consisting of a minus sign followed by a relative time in the format
        described in the TIME FORMATS section of sshd_config(5).  The end time may be specified as a
        YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting with a plus character.

        For example: “+52w1d” (valid from now to 52 weeks and one day from now), “-4w:+4w” (valid from four
        weeks ago to four weeks from now), “20100101123000:20110101123000” (valid from 12:30 PM, January
        1st, 2010 to 12:30 PM, January 1st, 2011), “-1d:20110101” (valid from yesterday to midnight,
        January 1st, 2011).
-v      Verbose mode.  Causes ssh-keygen to print debugging messages about its progress.  This is helpful
        for debugging moduli generation.  Multiple -v options increase the verbosity.  The maximum is 3.
-W generator
        Specify desired generator when testing candidate moduli for DH-GEX.
-y      This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.
-z serial_number
        Specifies a serial number to be embedded in the certificate to distinguish this certificate from
        others from the same CA.  The default serial number is zero.