So, this same Keyper HSM with 36 (or more) keys on it...
I run an "inittoken" now.
"ods-hsmutil list" shows me no keys. I haven't nuked the APP keys via the
HSM console, though. They're still there but hsmutil doesn't show them.
Why? Is hsmutil really reading ~/Keyper/keymap.db, and not connecting to
the HSM at all to get the list of keys?
[root@signer-01 log]# ods-hsmutil list
Listing keys in all repositories.
0 keys found.
Repository ID Type
---------- -- ----
[root@signer-01 log]#
Now...I try to generate new keys (to hell with the keys already sitting on
there at this point)...
[root@signer-01 log]# ods-ksmutil key generate --policy=lab --interval P60D
Key sharing is Off
HSM opened successfully.
*WARNING* This will create -2 KSKs (2048 bits) and -23 ZSKs (1024 bits)
Are you sure? [y/N] y
all done! hsm_close result: 0
Trying to create negative keys...why?
-jake
On Thu, 12 Jul 2012, Rickard Bellgrim wrote:
Clearly there's a bad assumption on my part somewhere in here.
Yes, if you create keys manually then you have to add them manually to
OpenDNSSEC before you start OpenDNSSEC. If you have not added them to
the Enforcer, then it will create keys by itself. My recommendation is
to not generate keys manually, but to let OpenDNSSEC do that for you.
ods-hsmutil, as the documentation says, talks directly with the HSM.
OpenDNSSEC will thus have no knowledge of the keys, unless you till it
what to do.
// Rickard
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
