[Opendnssec-user]
刘硕
shuoleo at 126.com
Tue Oct 23 07:49:04 UTC 2012
Hi Jakob,
Thanks for your information.
>You should be able to create the key on the HSM and then import it into OpenDNSSEC
I can generate keys using pkcs11-tool command with SoftHSM moduel,but I don't think we can get
keys out of HSM to import into OpenDNSSEC by using 'ods-ksmutil key import', because private
key can not be exported,right?
>If the key does not have a label, you might be able to set one using pkcs11-tool (from the OpenSC package).
Yes, we can generate key and specify a label for it, but I don't think pkcs11-tool can generate keys directly,
because the key generation must be done manually with admin privilege.
Even if I could set a label with pkcs11-tool, can OpenDNSSC support <KeyLabel>? I think the key rollover
should be done manually and the conf.xml should support more <KeyLabel> then.
If the key generation must be done manually, the key rollover can not be done by OpenDNSSEC automatically,
it have to be done manually, too.
Best regards,
Stuart
From: Jakob Schlyter
Date: 2012-10-09 17:08
To: shuoleo
CC: opendnssec-user; Patrik Wallström
Subject: Re: [Opendnssec-user]
You should be able to create the key on the HSM and then import it into OpenDNSSEC, given that a proper KeyLabel exists. If the key does not have a label, you might be able to set one using pkcs11-tool (from the OpenSC package).
jakob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121023/06beb95a/attachment.htm>
More information about the Opendnssec-user
mailing list