Manual Chapter :
Generating External HSM Key-Cert Pairs for DNSSEC
Applies To:
Show VersionsGenerating External HSM Key-Cert Pairs for DNSSEC
Overview: Generating external HSM key and certificate pairs for manually managed DNSSEC keys
When the BIG-IP system is a BIG-IP
DNS (previously Global Traffic Manager), you can use the nCipher to store and manage
DNSSEC keys.
For additional information about using nCipher, refer to the nCipher website: (www.ncipher.com).
Task list
Generating an external key for creating manually managed DNSSEC keys
Before
you generate the key, make sure that the nCipher client is running on all BIG-IP DNS
devices in the configuration synchronization group.
You can use the Traffic Management
Shell (
tmsh
) to
generate a key and certificate.- Log in to the command-line interface of the system using an account with administrator privileges.
- Open the TMOS Shell (tmsh).tmsh
- Generate the key.create sys crypto key<key_name>gen-certificate common-name<cert_name>security-type nethsmThis example generates an external HSM key namedtest_keyand a certificate namedtest_ncipher.comwith the security type ofnethsm:create sys crypto key test_key gen-certificate common-name test_ncipher.com security-type nethsm
- Verify that the key was created.list sys crypto key test_key.keyInformation about the key displays:sys crypto key test_key.key { key-id <32-digit string> key-size 2048 key-type rsa-private security-type nethsm }
When you generate a key/certificate
using
tmsh
, the system
creates a HSM private key. It also creates a local key, which points to the HSM key,
residing in the HSM.Creating a DNSSEC key using an external HSM key and certificate
Before you create a DNSSEC key using an external key and certificate, make sure that
you have generated a key and certificate using nCipher, and that you have loaded the key
and certificate.
You can create manually managed DNSSEC zone-signing and key-signing keys
for use with an external HSM. For more information, see
Configuring
DNSSEC with an external HSM
in BIG-IP DNS
Services: Implementations
at http://support.f5.com
.