Yes, ./configure --enable-threads --with-openssl=/usr/local/ssl --with-pkcs11=/usr/lunapci/lib/libCryptoki2.so
In /usr/local/ssl directory is the patched (vendor + bind) openssl. A detail: the openssl version 1.0.0e and the bind patch is for 1.0.0f -- Sergio R. ----- Mensaje original ----- De: "Billy Glynn" <billy.gl...@iedr.ie> Para: bind-users@lists.isc.org Enviados: Lunes, 17 de Febrero 2014 9:32:44 Asunto: Re: Using a HSM card to sign zone Did you configure bind with the patched version of openssl ? On 14 Feb 2014, at 19:43, Sergio Ramirez <srami...@seciu.edu.uy> wrote: > Hi, > > We want to sign zones with bind using an HSM Luna PCI Safenet card. > > The command 'dnssec- keyfromlabel' fails: > > # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l > KSK1-testdnssec -f KSK testdnssec. > dnssec-keyfromlabel: warning: ENGINE_load_private_key failed > dnssec-keyfromlabel: info: error:2609707D:engine > routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: > dnssec-keyfromlabel: info: error:2609607D:engine > routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: > dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found > > It was installed on Debian 4 Linux 2.6.18-6-686 server with: > - openssl-1.0.0e > - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) > - bind 9.9.2 -P1 > > ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed > with bind, are working OK. ** > > The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. > > We would like to know if anyone are using this HSM or similar. > > Furthermore we would like to get some guidance to solve this problem. > > Thanks in advance. > -- > Sergio RamÃrez > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
