Manual Chapter :
Generating External HSM KeyCert Pairs for DNSSEC
Applies To:
Show Versions
BIG-IP AAM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
BIG-IP APM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
BIG-IP GTM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
BIG-IP LTM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
BIG-IP AFM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
BIG-IP ASM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Overview: Generating external HSM key and certificate pairs for manually managed DNSSEC keys
When the BIG-IP® system is a BIG-IP Global Traffic Manager™ (GTM™), you can use the Thales nShield Connect to store and manage DNSSEC keys.
For additional information about using Thales nShield Connect, refer to the Thales website:
https://www.thales-esecurity.com/products-and-services/products-and-services /hardware-security-modules/general-purpose-hsms/nshield-connectTask list
Generating an external key for creating manually managed DNSSEC keys
Before you generate the key, make sure that the Thales nShield Connect client is
running on all BIG-IP®
GTM™ devices in the configuration synchronization group.
You can use the fipskey.nethsm utility to generate keys and
self-signed certificates to be used to create manually managed DNSSEC private keys. You
can use the generated .csr file to request a signed certificate
from a certificate authority (CA).
Tip: For information about creating
automatically managed DNSSEC private keys, see Configuring DNSSEC with an
external HSM in BIG-IP® DNS Services:
Implementations at
http://support.f5.com.
After you generate a key and certificates, you need to
load the local key into the BIG-IP configuration using
tmsh.
Configuring hardware-protected HSM keys using tmsh
You can use the Traffic Management Shell (tmsh) to load the
corresponding local HSM (FIPS) keys into the BIG-IP® system.
Note: This procedure loads the local key, not the actual hardware key, which
never leaves the HSM.
Adding certificates using tmsh
You can use the Traffic Management Shell (tmsh) to add existing
certificates to the BIG-IP® system configuration.
Creating a DNSSEC key using an external HSM key and certificate
Before you create a DNSSEC key using an imported key and certificate, make sure that
you have generated a key and certificate using Thales nShield Connect, and that you have
imported the key and certificate.
You can create manually managed DNSSEC zone-signing and key-signing keys for use
with an external HSM. For more information, see Configuring DNSSEC with an
external HSM in BIG-IP® DNS Services:
Implementations at http://support.f5.com.