1. Convert and import keys Next, we'll try and see if we can import our old keys so we can avoid havind to upload a new DS to our parent zone. # cd /etc/namedb/keys # softhsm-keyconv --topkcs8 --in Kphil.+005+22603.private --out zsk-22603.pem The key has been written to zsk-22603.pem # softhsm-keyconv --topkcs8 --in Kphil.+005+39978.private --out ksk-39978.pem The key has been written to ksk-39978.pem # ods-hsmutil list Repository ID Type ---------- -- ---- SoftHSM 869f05d1c8e43fa8426b7dae1d434568 RSA/1024 SoftHSM 2f1e5cc56997c2aee7609be5c6c8b0c4 RSA/2048 # ods-ksmutil key list --verbose Compare the ID to the CKA_ID 2. Import keys into HSM - for both KSK and ZSK: Get unique id: # uuidgen | tr -d '-' 100d73b5fe0f11e18c32020530e3da0b # softhsm --import ksk-39978.pem --slot 0 --pin 1234 --label OpenDNSSEC --id \ 100d73b5fe0f11e18c32020530e3da0b The key pair has been imported to the token in slot 0. # uuidgen | tr -d '-' 7ea57f3ffe0f11e18c32020530e3da0b # softhsm --import zsk-22603.pem --slot 0 --pin 1234 --label OpenDNSSEC --id \ 7ea57f3ffe0f11e18c32020530e3da0b The key pair has been imported to the token in slot 0. 3. Import the keys into OpenDNSSEC What is the name of the repository ? # ods-ksmutil repository list ... SoftHSM ... # ods-ksmutil key import --cka_id 100d73b5fe0f11e18c32020530e3da0b --repository SoftHSM --zone phil --bits 1024 --algorithm 5 --keystate active --keytype ZSK --time 201209130000 Key imported into zone(s) # ods-ksmutil key import --cka_id 7ea57f3ffe0f11e18c32020530e3da0b --repository SoftHSM --zone phil --bits 1289 --algorithm 5 --keystate active --keytype KSK --time 201209130000 Key imported into zone(s) # ods-ksmutil key list --verbose Notice the Keytag values! References: https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC https://wiki.opendnssec.org/download/attachments/590430/opendnssec.exercises.2012.03.pdf?version=1&modificationDate=1330681838000