Manual Chapter :
Generating External HSM Key-Cert Pairs for DNSSEC
Applies To:
Show VersionsBIG-IP APM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP AFM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Generating External HSM Key-Cert Pairs for DNSSEC
Overview: Generating external HSM key and certificate pairs for manually managed DNSSEC keys
When the BIG-IP system is a BIG-IP DNS (previously Global Traffic Manager),
you can use the nShield to store and manage DNSSEC keys.
For additional information about using nShield, refer to
the nShield website: (hsm).
Task list
Generating an external key for creating manually managed DNSSEC keys
Before you generate the key, make sure that the
nShield client is running on all BIG-IP DNS devices in the configuration synchronization
group.
You can use the Traffic Management
Shell (
tmsh
) to
generate a key and certificate.- Log in to the command-line interface of the system using an account with administrator privileges.
- Open the TMOS Shell (tmsh).tmsh
- Generate the key.create sys crypto key<key_name>gen-certificate common-name<cert_name>security-type nethsmThis example generates an external HSM key namedtest_keyand a certificate namedtest_nshield.comwith the security type ofnethsm:create sys crypto key test_key gen-certificate common-name test_nshield.com security-type nethsm
- Verify that the key was created.list sys crypto key test_key.keyInformation about the key displays:sys crypto key test_key.key { key-id <32-digit string> key-size 2048 key-type rsa-private security-type nethsm }
When you generate a key/certificate
using
tmsh
, the system
creates a HSM private key. It also creates a local key, which points to the HSM key,
residing in the HSM.Creating a DNSSEC key using an external HSM key and certificate
Before you create a DNSSEC key using an
external key and certificate, make sure that you have generated a key and certificate
using nShield, and that you have loaded the key and certificate.
You can create manually managed DNSSEC zone-signing and key-signing keys
for use with an external HSM. For more information, see
Configuring
DNSSEC with an external HSM
in BIG-IP DNS
Services: Implementations
at http://support.f5.com
.