[Opendnssec-user] ods-hsmutil

Rickard Bellgrim rickard at opendnssec.org
Fri Jul 13 18:49:29 UTC 2012

On Fri, Jul 13, 2012 at 5:57 PM, elsif <jake at elsif.net> wrote:
> So, this same Keyper HSM with 36 (or more) keys on it...
> I run an "inittoken" now.
> "ods-hsmutil list" shows me no keys.  I haven't nuked the APP keys via the
> HSM console, though.  They're still there but hsmutil doesn't show them.
> Why?  Is hsmutil really reading ~/Keyper/keymap.db, and not connecting to
> the HSM at all to get the list of keys?

I assume that "inittoken" is part of the AEP software kit. By the
name, I also guess that it initialize the token. If you initialize the
token, then the keys will be erased. ods-hsmutil will never read the
~/Keyper/keymap.db directly, that is an internal file belonging to the
HSM. All communication is done over the PKCS#11 interface.

> Now...I try to generate new keys (to hell with the keys already sitting on
> there at this point)...
> [root at signer-01 log]# ods-ksmutil key generate --policy=lab --interval P60D
> Key sharing is Off
> HSM opened successfully.
> *WARNING* This will create -2 KSKs (2048 bits) and -23 ZSKs (1024 bits)
> Are you sure? [y/N] y
> all done! hsm_close result: 0
> Trying to create negative keys...why?

My guess is that you have old key data in the database. "ods-ksmutil
key generate" only makes sure that you have enough keys for the given
interval. If you previously generated keys for e.g. one year and then
try to generate keys for e.g. 60 days, then it will not generate
anymore keys because you already have keys for one year. The negative
number is probably a GUI error. If you re-initialize the HSM, then you
also need to do "ods-ksmutil setup".

Remember that the physical keys are stored in the HSM. We also need
more properties than just the key values (exponent, modulus, ...).
This is why we need the KASP Enforcer Database. This database will
have the "key metadata" like KSK, ZSK, CKA_ID, rollover time stamps,

Please read more about HSM Vs. PKCS#11 Vs. OpenDNSSEC on the wiki to
get the complete picture.

// Rickard

More information about the Opendnssec-user mailing list