[knot-dns-users] Problem to import key material of softhsm into knot

Mon, 26 Nov 2018 00:50:42 -0800 

Hi @ all,

we are testing with softhsm 2.5 and KNOT 2.7.4...

I try to import the keys inside softhsm into keymgr to sign with this a 
example zone. 

The keymaterial is shown via pkcs11-tool:

[root@centos-test2 ~]# pkcs11-tool --login --list-objects --module 
/usr/local/lib/softhsm/libsofthsm2.so

Using slot 0 with a present token (0x285d1c08)
Logging in to "testKSK_1".
Please enter User PIN: 
Private Key Object; RSA 
  label:      testKSK_1
  ID:         a1a1
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
  label:      testZSK_1
  ID:         a1b1
  Usage:      encrypt, verify, wrap
Private Key Object; RSA 
  label:      testZSK_1
  ID:         a1b1
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      testKSK_1
  ID:         a1a1
  Usage:      encrypt, verify, wrap

######

The KNOT config is :

[root@centos-test2 ~]# cat /etc/knot/knot.conf
# See knot.conf(5) manual page for documentation.

server:
    listen: [ 127.0.0.1@53, ::1@53 ]

keystore:
  - id: a1a1 
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 
/usr/local/lib/softhsm/libsofthsm2.so"

  - id: a1b1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 
/usr/local/lib/softhsm/libsofthsm2.so"


policy:
  - id: manual
    manual: on
    nsec3: on 
    nsec3-iterations: 16
    nsec3-opt-out: on
    nsec3-salt-length: 8 

zone:
  - domain: example.com
    dnssec-signing: on
    dnssec-policy: manual
    zonefile-load: difference
    file: example.com.zone
    storage: /etc/knot/

log:
  - target: syslog 
    any: debug

###################

And if I try to import the key into keymgr i run the command:

[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com. 
import-pkcs11 a1a1 algorithm=RSASHA256 size=2048 ksk=yes 
created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)

###

I don't know how I can fix this.. maybe anybody can help me ? The 
documentation of KNOT is very good.. but at this point it is a little bit 
insufficient. Does anybody has examples for this ?

Thanks a lot in advance for the help..

best regards

-- 
Christian Petrasch 
Product Owner 
Zone Creation & Signing
IT-Services

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail: petra...@denic.de
http://www.denic.de

PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49  DE61 870E 8841 
549B E0AE 

Angaben nach § 25a Absatz 1 GenG: DENIC  eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg 
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht 
Frankfurt am Main
-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Reply via email to