Using a HSM card to sign zone
Alan Clegg
alan at clegg.com
Sun Feb 16 11:33:21 UTC 2014
On 2/14/14, 10:43 PM, Sergio Ramirez wrote:
> Hi,
>
> We want to sign zones with bind using an HSM Luna PCI Safenet card.
>
> The command 'dnssec- keyfromlabel' fails:
>
> # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec.
> dnssec-keyfromlabel: warning: ENGINE_load_private_key failed
> dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155:
> dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119:
> dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found
>
> It was installed on Debian 4 Linux 2.6.18-6-686 server with:
> - openssl-1.0.0e
> - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz)
> - bind 9.9.2 -P1
>
> ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed
> with bind, are working OK. **
>
> The key 'KSK1-testdnssec' was generated with pkcs11-keygen command.
>
> We would like to know if anyone are using this HSM or similar.
>
> Furthermore we would like to get some guidance to solve this problem.
I'm not familiar with that HSM, but have used both Thales and AEP with
no problem.
Does "openssl engine" show pkcs11?
If so, does "openssl engine pkcs11 -t" show that the engine is available?
Having played with OpenSSL patches over the last few days, I can tell
you that when it works, it works well, but when it fails, you are pretty
much out-of-luck as far as error messages go. 8-\
AlanC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 600 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140216/257f8e52/attachment.bin>
More information about the bind-users
mailing list