Manual Chapter : Generating External HSM Key-Cert Pairs for DNSSEC

Applies To:

Show Versions Show Versions


  • 14.0.1, 14.0.0


  • 14.0.1, 14.0.0


  • 14.0.1, 14.0.0


  • 14.0.1, 14.0.0


  • 14.0.1, 14.0.0


  • 14.0.1, 14.0.0
Manual Chapter

Generating External HSM Key-Cert Pairs for DNSSEC

Overview: Generating external HSM key and certificate pairs for manually managed DNSSEC keys

When the BIG-IP® system is a BIG-IP DNS (previously Global Traffic Manager), you can use the Thales nShield Connect to store and manage DNSSEC keys.

For additional information about using Thales nShield Connect, refer to the Thales website: (

Task list

Generating an external key for creating manually managed DNSSEC keys

Before you generate the key, make sure that the Thales nShield Connect client is running on all BIG-IP DNS devices in the configuration synchronization group.
You can use the Traffic Management Shell (tmsh) to generate a key and certificate.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (tmsh).
  3. Generate the key.
    create sys crypto key <key_name> gen-certificate common-name <cert_name> security-type nethsm

    This example generates an external HSM key named test_key and a certificate named with the security type of nethsm:

    create sys crypto key test_key gen-certificate common-name security-type nethsm
  4. Verify that the key was created.
    list sys crypto key test_key.key
    Information about the key displays:
    sys crypto key test_key.key {
    key-id <32-digit string>
    key-size 2048
    key-type rsa-private
    security-type nethsm
When you generate a key/certificate using tmsh, the system creates a HSM private key. It also creates a local key, which points to the HSM key, residing in the HSM.

Creating a DNSSEC key using an external HSM key and certificate

Before you create a DNSSEC key using an external key and certificate, make sure that you have generated a key and certificate using Thales nShield Connect, and that you have loaded the key and certificate.
You can create manually managed DNSSEC zone-signing and key-signing keys for use with an external HSM. For more information, see Configuring DNSSEC with an external HSM in BIG-IP DNS Services: Implementations at