On Fri, Jul 13, 2012 at 5:57 PM, elsif <[email protected]> wrote: > So, this same Keyper HSM with 36 (or more) keys on it... > > I run an "inittoken" now. > > "ods-hsmutil list" shows me no keys. I haven't nuked the APP keys via the > HSM console, though. They're still there but hsmutil doesn't show them. > Why? Is hsmutil really reading ~/Keyper/keymap.db, and not connecting to > the HSM at all to get the list of keys?
I assume that "inittoken" is part of the AEP software kit. By the name, I also guess that it initialize the token. If you initialize the token, then the keys will be erased. ods-hsmutil will never read the ~/Keyper/keymap.db directly, that is an internal file belonging to the HSM. All communication is done over the PKCS#11 interface. > Now...I try to generate new keys (to hell with the keys already sitting on > there at this point)... > > [root@signer-01 log]# ods-ksmutil key generate --policy=lab --interval P60D > Key sharing is Off > HSM opened successfully. > *WARNING* This will create -2 KSKs (2048 bits) and -23 ZSKs (1024 bits) > Are you sure? [y/N] y > all done! hsm_close result: 0 > > Trying to create negative keys...why? My guess is that you have old key data in the database. "ods-ksmutil key generate" only makes sure that you have enough keys for the given interval. If you previously generated keys for e.g. one year and then try to generate keys for e.g. 60 days, then it will not generate anymore keys because you already have keys for one year. The negative number is probably a GUI error. If you re-initialize the HSM, then you also need to do "ods-ksmutil setup". Remember that the physical keys are stored in the HSM. We also need more properties than just the key values (exponent, modulus, ...). This is why we need the KASP Enforcer Database. This database will have the "key metadata" like KSK, ZSK, CKA_ID, rollover time stamps, etc. Please read more about HSM Vs. PKCS#11 Vs. OpenDNSSEC on the wiki to get the complete picture. https://wiki.opendnssec.org/display/DOCS/OpenDNSSEC+Documentation+Home // Rickard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
