Using a HSM card to sign zone
Sergio Ramirez
sramirez at seciu.edu.uy
Mon Feb 17 17:52:11 UTC 2014
Yes,
./configure --enable-threads --with-openssl=/usr/local/ssl --with-pkcs11=/usr/lunapci/lib/libCryptoki2.so
In /usr/local/ssl directory is the patched (vendor + bind) openssl.
A detail: the openssl version 1.0.0e and the bind patch is for 1.0.0f
--
Sergio R.
----- Mensaje original -----
De: "Billy Glynn" <billy.glynn at iedr.ie>
Para: bind-users at lists.isc.org
Enviados: Lunes, 17 de Febrero 2014 9:32:44
Asunto: Re: Using a HSM card to sign zone
Did you configure bind with the patched version of openssl ?
On 14 Feb 2014, at 19:43, Sergio Ramirez <sramirez at seciu.edu.uy> wrote:
> Hi,
>
> We want to sign zones with bind using an HSM Luna PCI Safenet card.
>
> The command 'dnssec- keyfromlabel' fails:
>
> # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec.
> dnssec-keyfromlabel: warning: ENGINE_load_private_key failed
> dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155:
> dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119:
> dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found
>
> It was installed on Debian 4 Linux 2.6.18-6-686 server with:
> - openssl-1.0.0e
> - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz)
> - bind 9.9.2 -P1
>
> ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed
> with bind, are working OK. **
>
> The key 'KSK1-testdnssec' was generated with pkcs11-keygen command.
>
> We would like to know if anyone are using this HSM or similar.
>
> Furthermore we would like to get some guidance to solve this problem.
>
> Thanks in advance.
> --
> Sergio Ramírez
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list