(This info was also submitted to the upstream bug ticket.) I was able to work around this bug by deleting the key in the HSM (which had a label but not an id) and creating a new key with ods-hsmutil. I recommend that documentation be added that warns that there may not be any keys in the repository which were not created by ods-hsmutil.
To delete the old keys I used pkcs11-destroy which comes with BIND 9: $ pkcs11-destroy -m /usr/lib/opencryptoki/libopencryptoki.so.0 Enter Pin: object[0]: class 3 label 'KSK2011' id[0] object[1]: class 2 label 'KSK2011' id[0] sleeping 5 seconds... $ ods-hsmutil list Listing keys in all repositories. 0 keys found. Repository ID Type ---------- -- ---- $ ods-hsmutil generate <repository> rsa 2048 Generating 2048 bit RSA key in repository: <repository> Key generation successful: d590bebdd83670a7e292d750f47da809 $ ods-hsmutil list Listing keys in all repositories. 1 key found. Repository ID Type ---------- -- ---- <repository> d590bebdd83670a7e292d750f47da809 RSA/2048 Debian Bug Tracking System wrote: > Thank you for the additional information you have supplied regarding > this Bug report. > > This is an automatically generated reply to let you know your message > has been received. > > Your message is being forwarded to the package maintainers and other > interested parties for their attention; they will reply in due course. > > Your message has been sent to the package maintainer(s): > Ondřej Surý <[email protected]> > > If you wish to submit further information on this problem, please > send it to [email protected]. > > Please do not send mail to [email protected] unless you wish > to report a problem with the Bug-tracking system. > >
