Manual Chapter : Generating External HSM Key-Cert Pairs for DNSSEC

Applies To:

Show Versions Show Versions
Manual Chapter

Generating External HSM Key-Cert Pairs for DNSSEC

Overview: Generating external HSM key and certificate pairs for manually managed DNSSEC keys

When the BIG-IP system is a BIG-IP DNS (previously Global Traffic Manager), you can use the nCipher to store and manage DNSSEC keys.
For additional information about using nCipher, refer to the nCipher website: (

Task list

Generating an external key for creating manually managed DNSSEC keys

Before you generate the key, make sure that the nCipher client is running on all BIG-IP DNS devices in the configuration synchronization group.
You can use the Traffic Management Shell (
) to generate a key and certificate.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (
  3. Generate the key.
    create sys crypto key
    gen-certificate common-name
    security-type nethsm
    This example generates an external HSM key named
    and a certificate named
    with the security type of
    create sys crypto key test_key gen-certificate common-name security-type nethsm
  4. Verify that the key was created.
    list sys crypto key test_key.key
    Information about the key displays:
    sys crypto key test_key.key { key-id <
    32-digit string
    > key-size 2048 key-type rsa-private security-type nethsm }
When you generate a key/certificate using
, the system creates a HSM private key. It also creates a local key, which points to the HSM key, residing in the HSM.

Creating a DNSSEC key using an external HSM key and certificate

Before you create a DNSSEC key using an external key and certificate, make sure that you have generated a key and certificate using nCipher, and that you have loaded the key and certificate.
You can create manually managed DNSSEC zone-signing and key-signing keys for use with an external HSM. For more information, see
Configuring DNSSEC with an external HSM
BIG-IP DNS Services: Implementations