F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP System and Thales HSM: Implementation
  5. Generating External HSM Key-Cert Pairs for DNSSEC
Manual Chapter : Generating External HSM Key-Cert Pairs for DNSSEC

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.0.1, 13.0.0

BIG-IP APM

  • 13.0.1, 13.0.0

BIG-IP LTM

  • 13.0.1, 13.0.0

BIG-IP AFM

  • 13.0.1, 13.0.0

BIG-IP DNS

  • 13.0.1, 13.0.0

BIG-IP ASM

  • 13.0.1, 13.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: Generating external HSM key and certificate pairs for manually managed DNSSEC keys

When the BIG-IP® system is a BIG-IP DNS (previously Global Traffic Manager), you can use the Thales nShield Connect to store and manage DNSSEC keys.

For additional information about using Thales nShield Connect, refer to the Thales website: (https://www.thales-esecurity.com).

Task list

Generating an external key for creating manually managed DNSSEC keys

Before you generate the key, make sure that the Thales nShield Connect client is running on all BIG-IP® DNS devices in the configuration synchronization group.
You can use the fipskey.nethsm utility to generate keys and self-signed certificates to be used to create manually managed DNSSEC private keys. You can use the generated .csr file to request a signed certificate from a certificate authority (CA).
Tip: For information about creating automatically managed DNSSEC private keys, see Configuring DNSSEC with an external HSM in BIG-IP® DNS Services: Implementations at http://support.f5.com.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Generate a key:
    fipskey.nethsm --genkey -o <output_file>
    This example generates four files, using the default protection type (token):
    fipskey.nethsm --genkey -o my_key
    • /config/ssl/ssl.key/my_key.key (local key)
    • /config/ssl/ssl.csr/my_key.csr (CSR file)
    • /config/ssl/ssl.crt/my_key.crt (self-signed certificate)
    • /opt/nfast/kmdata/local/filename (protected key)
    The local key points to the protected key, which is encrypted.
After you generate a key and certificates, you need to load the local key into the BIG-IP configuration using tmsh.

Configuring hardware-protected HSM keys using tmsh

You can use the Traffic Management Shell (tmsh) to load the corresponding local HSM (FIPS) keys into the BIG-IP® system.
Note: This procedure loads the local key, not the actual hardware key, which never leaves the HSM.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Configure the local key.
    install sys crypto key <key_object_name> from-local-file <keyname>

    This example loads the external HSM key named my_key.key from a local key file stored in the /config/ssl/ssl.key/ directory:

    install sys crypto key my_key.key from-local-file /config/ssl/ssl.key/my_key.key
    The Thales client software maps the local key to the appropriate protected key.

Adding certificates using tmsh

You can use the Traffic Management Shell (tmsh) to add existing certificates to the BIG-IP® system configuration.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Add the certificate.
    install sys crypto cert <cert_object_name> from-local-file <path_to_cert_file>

    This example loads the certificate named my_key.crt from a local certificate file stored in the /config/ssl/ssl.crt/ directory:

    install sys crypto cert my_key.crt from-local-file /config/ssl/ssl.crt/my_key.crt

Creating a DNSSEC key using an external HSM key and certificate

Before you create a DNSSEC key using an external key and certificate, make sure that you have generated a key and certificate using Thales nShield Connect, and that you have loaded the key and certificate.
You can create manually managed DNSSEC zone-signing and key-signing keys for use with an external HSM. For more information, see Configuring DNSSEC with an external HSM in BIG-IP® DNS Services: Implementations at http://support.f5.com.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information