[Opendnssec-develop] hsm-toolkit

Roy Arends roy at nominet.org.uk
Mon Feb 2 17:43:12 UTC 2009

The hsm-toolkit can generate, list and remove RSA key-pairs from the HSM.

usage: hsm-toolkit [-s slot] [-p pin] [-G [-b keysize] label] [-R label]

If no arguments are given, the toolkit will try to list objects on slot 0, 
and will prompt for the pin.
(Question: should I change the default to match softHSM's default slot 1?)

If a label (an arbitrary string) is given as argument, the only matching 
keys will be listed.

-G generates a key. default is 1024 bits, which can be change by using -b. 
A label is required.
If the label already exists, a new key with the same label will not be 
generated. Key ID is not used at all (CKA_ID).
(Note: I will add CKA_ID as well, and require that that the tuple 
<CKA_LABEL,CKA_ID> is unique).

-R removes a key. A label is required.
(Question: should I change this to -D to avoid that -R is interpreted as 
"Read" instead of "Remove")

Requests for functionality are welcome.



Roy Arends
Sr. Researcher
Nominet UK 

More information about the Opendnssec-develop mailing list