F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP System and Thales HSM: Implementation
  5. Generating External HSM Key-Cert Pairs for DNSSEC
Manual Chapter : Generating External HSM Key-Cert Pairs for DNSSEC

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.0.1, 14.0.0

BIG-IP APM

  • 14.0.1, 14.0.0

BIG-IP LTM

  • 14.0.1, 14.0.0

BIG-IP AFM

  • 14.0.1, 14.0.0

BIG-IP DNS

  • 14.0.1, 14.0.0

BIG-IP ASM

  • 14.0.1, 14.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Generating External HSM Key-Cert Pairs for DNSSEC

Overview: Generating external HSM key and certificate pairs for manually managed DNSSEC keys

When the BIG-IP® system is a BIG-IP DNS (previously Global Traffic Manager), you can use the Thales nShield Connect to store and manage DNSSEC keys.

For additional information about using Thales nShield Connect, refer to the Thales website: (https://www.thales-esecurity.com).

Task list

Generating an external key for creating manually managed DNSSEC keys

Before you generate the key, make sure that the Thales nShield Connect client is running on all BIG-IP DNS devices in the configuration synchronization group.
You can use the Traffic Management Shell (tmsh) to generate a key and certificate.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Generate the key.
    create sys crypto key <key_name> gen-certificate common-name <cert_name> security-type nethsm

    This example generates an external HSM key named test_key and a certificate named test_thales.com with the security type of nethsm:

    create sys crypto key test_key gen-certificate common-name test_thales.com security-type nethsm
  4. Verify that the key was created.
    list sys crypto key test_key.key
    Information about the key displays:
                               
sys crypto key test_key.key {
key-id <32-digit string>
key-size 2048
key-type rsa-private
security-type nethsm
}
When you generate a key/certificate using tmsh, the system creates a HSM private key. It also creates a local key, which points to the HSM key, residing in the HSM.

Creating a DNSSEC key using an external HSM key and certificate

Before you create a DNSSEC key using an external key and certificate, make sure that you have generated a key and certificate using Thales nShield Connect, and that you have loaded the key and certificate.
You can create manually managed DNSSEC zone-signing and key-signing keys for use with an external HSM. For more information, see Configuring DNSSEC with an external HSM in BIG-IP DNS Services: Implementations at http://support.f5.com.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information