Manual Chapter : Generating External HSM Key-Cert Pairs for DNSSEC

Applies To:

Show Versions Show Versions
Manual Chapter

Generating External HSM Key-Cert Pairs for DNSSEC

Overview: Generating external HSM key and certificate pairs for manually managed DNSSEC keys

When the BIG-IP system is a BIG-IP DNS (previously Global Traffic Manager), you can use the nCipher to store and manage DNSSEC keys.
For additional information about using nCipher, refer to the nCipher website: (www.ncipher.com).

Task list

Generating an external key for creating manually managed DNSSEC keys

Before you generate the key, make sure that the nCipher client is running on all BIG-IP DNS devices in the configuration synchronization group.
You can use the Traffic Management Shell (
tmsh
) to generate a key and certificate.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (
    tmsh
    ).
    tmsh
  3. Generate the key.
    create sys crypto key
    <key_name>
    gen-certificate common-name
    <cert_name>
    security-type nethsm
    This example generates an external HSM key named
    test_key
    and a certificate named
    test_ncipher.com
    with the security type of
    nethsm
    :
    create sys crypto key test_key gen-certificate common-name test_ncipher.com security-type nethsm
  4. Verify that the key was created.
    list sys crypto key test_key.key
    Information about the key displays:
    sys crypto key test_key.key { key-id <
    32-digit string
    > key-size 2048 key-type rsa-private security-type nethsm }
When you generate a key/certificate using
tmsh
, the system creates a HSM private key. It also creates a local key, which points to the HSM key, residing in the HSM.

Creating a DNSSEC key using an external HSM key and certificate

Before you create a DNSSEC key using an external key and certificate, make sure that you have generated a key and certificate using nCipher, and that you have loaded the key and certificate.
You can create manually managed DNSSEC zone-signing and key-signing keys for use with an external HSM. For more information, see
Configuring DNSSEC with an external HSM
in
BIG-IP DNS Services: Implementations
at
http://support.f5.com
.