[Opendnssec-user] importing bind9 keys into softhsm, ods
Joe Abley
jabley at hopcount.ca
Tue Dec 8 09:13:02 UTC 2009
Hi all,
Jakob asked me to forward this to this list instead of to his personal mailbox, for some entirely plausible reason. :-)
Any clues would be gratefully received.
Joe
Begin forwarded message:
> From: Joe Abley <jabley at hopcount.ca>
> Date: 8 December 2009 00:29:07 GMT
> To: Jakob Schlyter <jakob at kirei.se>, Roy Arends <roy at dnss.ec>
> Subject: opendnssec clue
>
> Hey,
>
> I was just playing with OpenDNSSEC for some of my own zones.
>
> The page http://trac.opendnssec.org/wiki/Signer/Using/Migrating contains some useful information for how to migrate from a BIND9/dnssec-signzone setup to OpenDNSSEC.
>
> softhsm-keyconv --topkcs8 --in Kexample.com.+005+42952.private --out key.pem
>
> is pleasantly, clear, but
>
> softhsm --import key.pem --slot 1 --label A2 --id A2 --pin 123456
>
> makes me wonder how I decide what the label, id and pin should be for the key I import. Further down that page I see
>
> ods-ksmutil key import --cka_id <CKA_ID> --repository <repository> --zone <zone> --bits <size> --algorithm <algorithm> --keystate <state> --keytype <type> --time <time>
>
> and I find I don't know
>
> (a) what a CKA_ID is
>
> (b) the difference between active and ready for the key state
>
> This whole procedure seems like it would be usefully automated even if just for the case here people are using softhsm with something like
>
> ./bind9-to-softhsm ./Kexample.com.+005+42952.private EXAMPLE.COM
>
> and have the script figure out all the heavy lifting. But I am not asking for a script :-) just some guidance on the questions above. Any clues for me?
>
>
> Joe
More information about the Opendnssec-user
mailing list