[Opendnssec-user] Issues Migrating Keys

Alain Baxter Alain.Baxter at cira.ca
Fri Sep 13 15:05:35 UTC 2019 

Hello,

We are migrating SoftHSM keys between servers (so that we can migrate our zone signing to a new server)

Old server versions:
$ softhsm --version
1.3.5
$ ods-enforcerd version
OpenDNSSEC ods-enforcerd started (version 1.4.8.2), pid 32735

New server version
$ softhsm2-util --version
2.1.0
$ ods-enforcer --version
opendnssec version 2.1.1

I have successfully exported the keys  from the old server with:
$ softhsm --export tld-257.pem --id 5edbd7c17a7a2935859aad429876c1c8 --slot 0 --pin 1234 --file-pin 4321
$ softhsm --export tld-256.pem --id 8c74f7310af7073736fdb3ffb653bed5 --slot 0 --pin 1234 --file-pin 4321

I have successfully imported the keys to the new server with:
$ softhsm2-util --import tld-257.pem --id a257 --slot 0 --pin 1234 --label "SoftHSM" --file-pin 4321
The key pair has been imported.
$ softhsm2-util --import tld-256.pem --id a256 --slot 0 --pin 1234 --label "SoftHSM" --file-pin 4321
The key pair has been imported.

I can verify that OpenDNSSEC can see the keys with:
$ ods-hsmutil list

Listing keys in all repositories.
2 keys found.

Repository            ID                                Type
----------            --                                ----
SoftHSM               a257                              RSA/2048
SoftHSM               a256                              RSA/1024

The issue comes when trying to import the key to Opendnssec to start signing the zone with them

I'm issuing the  following commands, and they keep returning that the key cannot be found with the locator:
$ ods-enforcer key import --cka_id a257 -r SoftHSM -z tld --bits 2048 --algorithm 8 --keystate active --keytype KSK --inception_time 2019-09-13-00:00:00
Unable to find the key with this locator: a257
$ ods-enforcer key import --cka_id a256 -r SoftHSM -z tld --bits 1024 --algorithm 8 --keystate active --keytype ZSK --inception_time 2019-09-13-00:00:00
Unable to find the key with this locator: a256

Is there something I'm missing here, they keys exist in the Repository, and ods-hsmutil list returns them, however when importing to use for the zone it continues to indicate that it cannot find the keys.

Any help would be appreciated.

Alain Baxter,
Sr DevOps Specialist
Canadian Internet Registration Authority
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20190913/8ac4a830/attachment.htm>

More information about the Opendnssec-user mailing list