[Opendnssec-user] ods-hsmutil

elsif jake at elsif.net
Fri Jul 13 15:57:51 UTC 2012

So, this same Keyper HSM with 36 (or more) keys on it...

I run an "inittoken" now.

"ods-hsmutil list" shows me no keys.  I haven't nuked the APP keys via the 
HSM console, though.  They're still there but hsmutil doesn't show them. 
Why?  Is hsmutil really reading ~/Keyper/keymap.db, and not connecting to 
the HSM at all to get the list of keys?

[root at signer-01 log]# ods-hsmutil list
Listing keys in all repositories.
0 keys found.

Repository            ID                                Type
----------            --                                ----
[root at signer-01 log]#

Now...I try to generate new keys (to hell with the keys already sitting on 
there at this point)...

[root at signer-01 log]# ods-ksmutil key generate --policy=lab --interval P60D
Key sharing is Off
HSM opened successfully.
*WARNING* This will create -2 KSKs (2048 bits) and -23 ZSKs (1024 bits)
Are you sure? [y/N] y
all done! hsm_close result: 0

Trying to create negative keys...why?


On Thu, 12 Jul 2012, Rickard Bellgrim wrote:

>> Clearly there's a bad assumption on my part somewhere in here.
> Yes, if you create keys manually then you have to add them manually to
> OpenDNSSEC before you start OpenDNSSEC. If you have not added them to
> the Enforcer, then it will create keys by itself. My recommendation is
> to not generate keys manually, but to let OpenDNSSEC do that for you.
> ods-hsmutil, as the documentation says, talks directly with the HSM.
> OpenDNSSEC will thus have no knowledge of the keys, unless you till it
> what to do.
> // Rickard
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list