[Opendnssec-user] ods-hsmutil
elsif
jake at elsif.net
Fri Jul 13 15:57:51 UTC 2012
So, this same Keyper HSM with 36 (or more) keys on it...
I run an "inittoken" now.
"ods-hsmutil list" shows me no keys. I haven't nuked the APP keys via the
HSM console, though. They're still there but hsmutil doesn't show them.
Why? Is hsmutil really reading ~/Keyper/keymap.db, and not connecting to
the HSM at all to get the list of keys?
[root at signer-01 log]# ods-hsmutil list
Listing keys in all repositories.
0 keys found.
Repository ID Type
---------- -- ----
[root at signer-01 log]#
Now...I try to generate new keys (to hell with the keys already sitting on
there at this point)...
[root at signer-01 log]# ods-ksmutil key generate --policy=lab --interval P60D
Key sharing is Off
HSM opened successfully.
*WARNING* This will create -2 KSKs (2048 bits) and -23 ZSKs (1024 bits)
Are you sure? [y/N] y
all done! hsm_close result: 0
Trying to create negative keys...why?
-jake
On Thu, 12 Jul 2012, Rickard Bellgrim wrote:
>> Clearly there's a bad assumption on my part somewhere in here.
>
> Yes, if you create keys manually then you have to add them manually to
> OpenDNSSEC before you start OpenDNSSEC. If you have not added them to
> the Enforcer, then it will create keys by itself. My recommendation is
> to not generate keys manually, but to let OpenDNSSEC do that for you.
>
> ods-hsmutil, as the documentation says, talks directly with the HSM.
> OpenDNSSEC will thus have no knowledge of the keys, unless you till it
> what to do.
>
> // Rickard
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
More information about the Opendnssec-user
mailing list