Breadcrumbs

Generate ZSK and KSK on Utimaco HSM

To generate a zone-signing key (ZSK) and a key-signing key (KSK) on the HSM use the p11tool2 utility. After the keys are generated on HSM then use dnssec-keyfromlabel provided by BIND to generate the key files for BIND containing a public key and an identifier of the actual private key..

Generating KSK and ZSK with RSA Algorithm

  1. Run the following commands to generate a zone-signing key and a key-signing key using RSA algorithm:

›_ Console 

# p11tool2 slot=0 LoginUser=ask PubKeyAttr=CKA_LABEL=”ksk” PrvKeyAttr=CKA_LABEL=”ksk” GenerateKeyPair=RSA 

# p11tool2 slot=0 LoginUser=ask PubKeyAttr=CKA_LABEL=”zsk” PrvKeyAttr=CKA_LABEL=”zsk” GenerateKeyPair=RSA
tmp75z7c2zc.jpg

Key generation output for KSK

tmpoglju11o.jpg

Key generation output for ZSK

Each key should have unique label that will be used to refer the private key in next steps.

  1. List the keys using p11tool2 command

›_ Console 

# p11tool2 slot=0 LoginUser=ask ListObjects
tmptr6s6hc3.jpg
tmp1zg1oxh1.jpg

List key output


Generating KSK and ZSK with ECC algorithm

  1. Run the following commands to generate a zone-signing key and a key-signing key using ECC:

›_ Console 

# p11tool2 slot=1 LoginUser=ask PubKeyAttr=CKA_LABEL=”ksk” PrvKeyAttr=CKA_LABEL=”ksk” GenerateKeyPaor=ECC 

# p11tool2 slot=1 LoginUser=ask PubKeyAttr=CKA_LABEL=”zsk” PrvKeyAttr=CKA_LABEL=”zsk” GenerateKeyPaor=ECC
tmp0wvjwlyz.jpg

Key generation output for KSK

tmp4nkw_fwo.jpg

Key generation output for ZSK

Each key should have unique that will be used to refer the private key in next steps.

  1. List the keys using p11tool2 command.

›_ Console 

# p11tool2 slot=1 LoginUser=ask ListObjects


tmpao10sp0o.jpg
tmp2306jlhl.jpg

List Key Output


ECC keys which are generated above have the default NIST-P256 curve.