[Opendnssec-user] importing bind9 keys into softhsm, ods
rickard.bellgrim at iis.se
Tue Dec 8 10:24:39 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
> > makes me wonder how I decide what the label, id and pin should be for
> the key I import. Further down that page I see
Label is a string which describes the object. Not used by OpenDNSSEC.
ID is the id of the key that you want to create. Hexadecimal. Used by OpenDNSSEC.
PIN is the PIN code that you use to login to the token.
> > ods-ksmutil key import --cka_id <CKA_ID> --repository <repository> -
> -zone <zone> --bits <size> --algorithm <algorithm> --keystate <state> -
> -keytype <type> --time <time>
> > and I find I don't know
> > (a) what a CKA_ID is
It is the hexadecimal string from the previous step.
> > (b) the difference between active and ready for the key state
Keystate active will make the key active. It is used for signing directly. If there already is an active key, then there will be two keys signing the zone. So if you only want this key to sign the zone, then do the import directly after setup and before you start the system.
Keystate ready will add the key in the ready queue. Will become active in a future rollover, if the key matches the policy.
> > This whole procedure seems like it would be usefully automated even
> if just for the case here people are using softhsm with something like
> > ./bind9-to-softhsm ./Kexample.com.+005+42952.private EXAMPLE.COM
> > and have the script figure out all the heavy lifting. But I am not
> asking for a script :-) just some guidance on the questions above. Any
> clues for me?
I will update the documentation.
We could have a script, but you would still need label, ID, slot, and PIN. Label and ID could be a random string.
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user