Hi Jakob,
Thanks for your information.
>You should be able to create the key on the HSM and then import it into
>OpenDNSSEC
I can generate keys using pkcs11-tool command with SoftHSM moduel,but I don't
think we can get
keys out of HSM to import into OpenDNSSEC by using 'ods-ksmutil key import',
because private
key can not be exported,right?
>If the key does not have a label, you might be able to set one using
>pkcs11-tool (from the OpenSC package).
Yes, we can generate key and specify a label for it, but I don't think
pkcs11-tool can generate keys directly,
because the key generation must be done manually with admin privilege.
Even if I could set a label with pkcs11-tool, can OpenDNSSC support <KeyLabel>?
I think the key rollover
should be done manually and the conf.xml should support more <KeyLabel> then.
If the key generation must be done manually, the key rollover can not be done
by OpenDNSSEC automatically,
it have to be done manually, too.
Best regards,
Stuart
From: Jakob Schlyter
Date: 2012-10-09 17:08
To: shuoleo
CC: opendnssec-user; Patrik Wallstr�m
Subject: Re: [Opendnssec-user]
You should be able to create the key on the HSM and then import it into
OpenDNSSEC, given that a proper KeyLabel exists. If the key does not have a
label, you might be able to set one using pkcs11-tool (from the OpenSC package).
jakob
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
