softhsm-keyconv(1) - Linux man page

Name

softhsm-keyconv - converting between BIND and PKCS#8 key file formats

Synopsis

softhsm-keyconv --topkcs8 --in path --out path [--pin PIN]
softhsm-keyconv --tobind --in path [--pin PIN] \

--name name [--ttl ttl --ksk] --algorithm algorithm

Description

softhsm-keyconv can convert between BIND .private-key files and the PKCS#8 file format. This is so that you can import the PKCS#8 file into libsofthsm using the command softhsm. If you have another file format, then openssl probably can help you to convert it into the PKCS#8 file format.

The following files will be created when converting to BIND file format:

Kname+alg_id+key_tag.key

Public key in RR format

Kname+alg_id+key_tag.private

Private key in BIND key format

The three parts of the file name means the following:

name

The owner name given by the --name argument.

alg_id

A numeric representation of the --algorithm argument.

key_tag

Is a checksum of the DNSKEY RDATA.

Options

--topkcs8

Convert from BIND .private-key format to PKCS#8.
Use with --in, --out, and --pin.

--tobind

Convert from PKCS#8 to BIND .private-key format.
Use with --in, --pin, --name, --ttl, --ksk, and --algorithm.

--algorithm algorithm

Specifies which DNSSEC algorithm to use when converting to BIND format. The supported algorithms are:

RSAMD5
DSA
RSASHA1
RSASHA1-NSEC3-SHA1
DSA-NSEC3-SHA1
RSASHA256
RSASHA512

--help, -h

Shows the help screen.

--in path

The path to the input file.

--ksk

This will set the flag field to 257 instead of 256 in the DNSKEY RR in the .key file. Indicating that the key is a Key Signing Key. Can be used when converting to BIND format.

--name name

The owner name to use in the BIND file name and in the DNSKEY RR. Do not forget the trailing dot, e.g. "example.com."

--out path

The path to the output file.

--pin PIN

The PIN will be used to encrypt or decrypt the PKCS#8 file depending if we are converting to or from PKCS#8. If not given then the PKCS#8 file is assumed to be unencrypted.

--ttl TTL

The TTL to use for the DNSKEY RR. Optional, this will default to 3600 seconds.

--version, -v

Show the version info.

Examples

To convert a BIND .private-key file to a PKCS#8 file, the following command can be used:

softhsm-keyconv --in Kexample.com.+007+05474.private \
       --out rsa.pem

To convert a PKCS#8 file to BIND key files, the following command can be used:

softhsm-keyconv --in rsa.pem --name example.com. \
       --ksk --algorithm RSASHA1-NSEC3-SHA1

Author

Written by Rickard Bellgrim.

See Also

softhsm(1), softhsm.conf(5), openssl(1), named(1), dnssec-keygen(1), dnssec-signzone(1)