Agenda: opendnssec-lab1-1-import-bind-keys.txt

File opendnssec-lab1-1-import-bind-keys.txt, 2.0 KB (added by trac, 5 years ago)
Line 
11. Convert and import keys
2
3Next, we'll try and see if we can import our old keys so we can avoid havind to
4upload a new DS to our parent zone.
5
6# cd /etc/namedb/keys
7
8# softhsm-keyconv --topkcs8 --in Kphil.+005+22603.private --out zsk-22603.pem
9The key has been written to zsk-22603.pem
10
11# softhsm-keyconv --topkcs8 --in Kphil.+005+39978.private --out ksk-39978.pem
12The key has been written to ksk-39978.pem
13
14# ods-hsmutil list
15
16Repository            ID                                Type
17----------            --                                ----
18SoftHSM               869f05d1c8e43fa8426b7dae1d434568  RSA/1024
19SoftHSM               2f1e5cc56997c2aee7609be5c6c8b0c4  RSA/2048
20
21# ods-ksmutil key list --verbose
22
23        Compare the ID to the CKA_ID
24
252. Import keys into HSM - for both KSK and ZSK:
26
27        Get unique id:
28
29# uuidgen | tr -d '-'
30100d73b5fe0f11e18c32020530e3da0b
31
32# softhsm --import ksk-39978.pem --slot 0 --pin 1234 --label OpenDNSSEC --id \
33        100d73b5fe0f11e18c32020530e3da0b
34The key pair has been imported to the token in slot 0.
35
36# uuidgen | tr -d '-'
377ea57f3ffe0f11e18c32020530e3da0b
38
39# softhsm --import zsk-22603.pem --slot 0 --pin 1234 --label OpenDNSSEC --id \
40        7ea57f3ffe0f11e18c32020530e3da0b
41The key pair has been imported to the token in slot 0.
42
433. Import the keys into OpenDNSSEC
44
45        What is the name of the repository ?
46
47# ods-ksmutil repository list
48        ...
49        SoftHSM
50        ...
51
52
53# ods-ksmutil key import --cka_id 100d73b5fe0f11e18c32020530e3da0b --repository SoftHSM --zone phil --bits 1024 --algorithm 5 --keystate active --keytype ZSK --time 201209130000
54
55Key imported into zone(s)
56       
57# ods-ksmutil key import --cka_id 7ea57f3ffe0f11e18c32020530e3da0b --repository SoftHSM --zone phil --bits 1289 --algorithm 5 --keystate active --keytype KSK --time 201209130000
58
59Key imported into zone(s)
60
61# ods-ksmutil key list --verbose
62
63        Notice the Keytag values!
64
65
66References:
67
68https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC
69https://wiki.opendnssec.org/download/attachments/590430/opendnssec.exercises.2012.03.pdf?version=1&modificationDate=1330681838000