ods-hsmutil - OpenDNSSEC HSM utility
ods-hsmutil [-c config] [-v]
command [options]
The ods-hsmutil utility is mainly used for debugging or testing.
It is designed to interact directly with your HSM and can be used to
manually list, create or delete keys. It can also be used to perform a set
of basics HSM tests. Be careful before creating or deleting keys using
ods-hsmutil, as the changes are not synchronized with the KASP Enforcer.
The repositories are configured by the user in the OpenDNSSEC
configuration file. The configuration contains the name of the repository,
the token label, the user PIN, and the path to its shared library.
- login
- If there is no PIN in conf.xml, then this command will ask for it and
login. The PINs are stored in a shared memory and are accessible to the
other daemons.
- logout
- Will erase the semaphore and the shared memory containing any credentials.
Authenticated processes will still be able to interact with the HSM.
- list
[repository]
- List the keys that are available in all or one repository
- generate
repository rsa|dsa|gost|ecdsa [keysize]
- Generate a new key with the given keysize in the repository.
Note that GOST has a fixed key size and that ECDSA has two supported
curves, P-256 and P-384. In the case of ECDSA, use 256 or 384 as the
keysize.
- remove
id
- Delete the key with the given id
- purge
repository
- Delete all keys in one repository
- dnskey id
name type algo
- Create a DNSKEY RR for the given owner name based on the key with
this id. The type will indicate if it is a KSK (257) or ZSK
(256). Please use the numerical value. The algo, a value from the
IANA repository, must match the algorithm of the key.
- test
repository
- Perform a number of tests on a repository
- info
- Show detailed information about all repositories
- -c config
- Path to an OpenDNSSEC configuration file
(defaults to /etc/opendnssec/conf.xml)
- -h
- Show the help screen
- -v
- Output more information by increasing the verbosity level
ods-control(8), ods-enforcerd(8), ods-hsmspeed(1),
ods-kaspcheck(1), ods-signer(8), ods-signerd(8), ods-enforcer(8),
ods-timing(5), ods-kasp(5), opendnssec(7),
http://www.opendnssec.org/
ods-hsmutil was written by Jakob Schlyter as part of the
OpenDNSSEC project.