| 1 | 1. Convert and import keys |
|---|
| 2 | |
|---|
| 3 | Next, we'll try and see if we can import our old keys so we can avoid havind to |
|---|
| 4 | upload a new DS to our parent zone. |
|---|
| 5 | |
|---|
| 6 | # cd /etc/namedb/keys |
|---|
| 7 | |
|---|
| 8 | # softhsm-keyconv --topkcs8 --in Kphil.+005+22603.private --out zsk-22603.pem |
|---|
| 9 | The key has been written to zsk-22603.pem |
|---|
| 10 | |
|---|
| 11 | # softhsm-keyconv --topkcs8 --in Kphil.+005+39978.private --out ksk-39978.pem |
|---|
| 12 | The key has been written to ksk-39978.pem |
|---|
| 13 | |
|---|
| 14 | # ods-hsmutil list |
|---|
| 15 | |
|---|
| 16 | Repository ID Type |
|---|
| 17 | ---------- -- ---- |
|---|
| 18 | SoftHSM 869f05d1c8e43fa8426b7dae1d434568 RSA/1024 |
|---|
| 19 | SoftHSM 2f1e5cc56997c2aee7609be5c6c8b0c4 RSA/2048 |
|---|
| 20 | |
|---|
| 21 | # ods-ksmutil key list --verbose |
|---|
| 22 | |
|---|
| 23 | Compare the ID to the CKA_ID |
|---|
| 24 | |
|---|
| 25 | 2. Import keys into HSM - for both KSK and ZSK: |
|---|
| 26 | |
|---|
| 27 | Get unique id: |
|---|
| 28 | |
|---|
| 29 | # uuidgen | tr -d '-' |
|---|
| 30 | 100d73b5fe0f11e18c32020530e3da0b |
|---|
| 31 | |
|---|
| 32 | # softhsm --import ksk-39978.pem --slot 0 --pin 1234 --label OpenDNSSEC --id \ |
|---|
| 33 | 100d73b5fe0f11e18c32020530e3da0b |
|---|
| 34 | The key pair has been imported to the token in slot 0. |
|---|
| 35 | |
|---|
| 36 | # uuidgen | tr -d '-' |
|---|
| 37 | 7ea57f3ffe0f11e18c32020530e3da0b |
|---|
| 38 | |
|---|
| 39 | # softhsm --import zsk-22603.pem --slot 0 --pin 1234 --label OpenDNSSEC --id \ |
|---|
| 40 | 7ea57f3ffe0f11e18c32020530e3da0b |
|---|
| 41 | The key pair has been imported to the token in slot 0. |
|---|
| 42 | |
|---|
| 43 | 3. Import the keys into OpenDNSSEC |
|---|
| 44 | |
|---|
| 45 | What is the name of the repository ? |
|---|
| 46 | |
|---|
| 47 | # ods-ksmutil repository list |
|---|
| 48 | ... |
|---|
| 49 | SoftHSM |
|---|
| 50 | ... |
|---|
| 51 | |
|---|
| 52 | |
|---|
| 53 | # ods-ksmutil key import --cka_id 100d73b5fe0f11e18c32020530e3da0b --repository SoftHSM --zone phil --bits 1024 --algorithm 5 --keystate active --keytype ZSK --time 201209130000 |
|---|
| 54 | |
|---|
| 55 | Key imported into zone(s) |
|---|
| 56 | |
|---|
| 57 | # ods-ksmutil key import --cka_id 7ea57f3ffe0f11e18c32020530e3da0b --repository SoftHSM --zone phil --bits 1289 --algorithm 5 --keystate active --keytype KSK --time 201209130000 |
|---|
| 58 | |
|---|
| 59 | Key imported into zone(s) |
|---|
| 60 | |
|---|
| 61 | # ods-ksmutil key list --verbose |
|---|
| 62 | |
|---|
| 63 | Notice the Keytag values! |
|---|
| 64 | |
|---|
| 65 | |
|---|
| 66 | References: |
|---|
| 67 | |
|---|
| 68 | https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC |
|---|
| 69 | https://wiki.opendnssec.org/download/attachments/590430/opendnssec.exercises.2012.03.pdf?version=1&modificationDate=1330681838000 |
|---|