SOFTHSM-KEYCONV(1)

NAME

softhsm-keyconv - converting between BIND and PKCS#8 key file formats

SYNOPSIS

softhsm-keyconv --topkcs8 --in path --out path [--pin PIN]
softhsm-keyconv --tobind --in path [--pin PIN] \
       --name name [--ttl ttl --ksk] --algorithm algorithm

DESCRIPTION

softhsm-keyconv can convert between BIND .private-key files and the PKCS#8 file format. This is so that you can import the PKCS#8 file into libsofthsm using the command softhsm. If you have another file format, then openssl probably can help you to convert it into the PKCS#8 file format.

The following files will be created when converting to BIND file format:

Kname+alg_id+key_tag.key
Public key in RR format
Kname+alg_id+key_tag.private
Private key in BIND key format
The three parts of the file name means the following:

name The owner name given by the --name argument.
alg_id A numeric representation of the --algorithm argument.
key_tag
Is a checksum of the DNSKEY RDATA.

OPTIONS

--topkcs8
Convert from BIND .private-key format to PKCS#8.
Use with --in, --out, and --pin.
--tobind
Convert from PKCS#8 to BIND .private-key format.
Use with --in, --pin, --name, --ttl, --ksk, and --algorithm.
--algorithm algorithm
Specifies which DNSSEC algorithm to use when converting to BIND format. The supported algorithms are:
RSAMD5
DSA
RSASHA1
RSASHA1-NSEC3-SHA1
DSA-NSEC3-SHA1
RSASHA256
RSASHA512
--help, -h
Shows the help screen.
--in path
The path to the input file.
--ksk This will set the flag field to 257 instead of 256 in the DNSKEY
RR in the .key file. Indicating that the key is a Key Signing Key. Can be used when converting to BIND format.
--name name
The owner name to use in the BIND file name and in the DNSKEY RR. Do not forget the trailing dot, e.g. "example.com."
--out path
The path to the output file.
--pin PIN
The PIN will be used to encrypt or decrypt the PKCS#8 file depending if we are converting to or from PKCS#8. If not given then the PKCS#8 file is assumed to be unencrypted.
--ttl TTL
The TTL to use for the DNSKEY RR. Optional, this will default to 3600 seconds.
--version, -v
Show the version info.

EXAMPLES

To convert a BIND .private-key file to a PKCS#8 file, the following command can be used:
softhsm-keyconv --in Kexample.com.+007+05474.private \
--out rsa.pem
To convert a PKCS#8 file to BIND key files, the following command can be used:

softhsm-keyconv --in rsa.pem --name example.com. \
--ksk --algorithm RSASHA1-NSEC3-SHA1

AUTHOR

Written by Rickard Bellgrim.

SEE ALSO

softhsm(1), softhsm.conf(5), openssl(1), named(1), dnssec-keygen(1), dnssec-signzone(1)

SoftHSM 21 December 2009 SOFTHSM-KEYCONV(1)

Copyright © 2010-2025 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout