Provided by: softhsm_1.3.5-1ubuntu3_amd64 bug

NAME

       softhsm-keyconv - converting between BIND and PKCS#8 key file formats

SYNOPSIS

       softhsm-keyconv --topkcs8 --in path --out path [--pin PIN]
       softhsm-keyconv --tobind --in path [--pin PIN] \
              --name name [--ttl ttl --ksk] --algorithm algorithm

DESCRIPTION

       softhsm-keyconv  can  convert  between BIND .private-key files and the PKCS#8 file format.
       This is so that you can import the PKCS#8 file into libsofthsm using the command  softhsm.
       If you have another file format, then openssl probably can help you to convert it into the
       PKCS#8 file format.

       The following files will be created when converting to BIND file format:

       Kname+alg_id+key_tag.key
              Public key in RR format

       Kname+alg_id+key_tag.private
              Private key in BIND key format

       The three parts of the file name means the following:

              name   The owner name given by the --name argument.

              alg_id A numeric representation of the --algorithm argument.

              key_tag
                     Is a checksum of the DNSKEY RDATA.

OPTIONS

       --topkcs8
              Convert from BIND .private-key format to PKCS#8.
              Use with --in, --out, and --pin.

       --tobind
              Convert from PKCS#8 to BIND .private-key format.
              Use with --in, --pin, --name, --ttl, --ksk, and --algorithm.

       --algorithm algorithm
              Specifies which DNSSEC algorithm to  use  when  converting  to  BIND  format.   The
              supported algorithms are:
                     RSAMD5
                     DSA
                     RSASHA1
                     RSASHA1-NSEC3-SHA1
                     DSA-NSEC3-SHA1
                     RSASHA256
                     RSASHA512

       --help, -h
              Shows the help screen.

       --in path
              The path to the input file.

       --ksk  This  will  set  the  flag field to 257 instead of 256 in the DNSKEY RR in the .key
              file.  Indicating that the key is a Key Signing Key.  Can be used  when  converting
              to BIND format.

       --name name
              The  owner  name  to use in the BIND file name and in the DNSKEY RR.  Do not forget
              the trailing dot, e.g. "example.com."

       --out path
              The path to the output file.

       --pin PIN
              The PIN will be used to encrypt or decrypt the PKCS#8  file  depending  if  we  are
              converting  to  or from PKCS#8.  If not given then the PKCS#8 file is assumed to be
              unencrypted.

       --ttl TTL
              The TTL to use for the DNSKEY RR.  Optional, this will default to 3600 seconds.

       --version, -v
              Show the version info.

EXAMPLES

       To convert a BIND .private-key file to a PKCS#8 file, the following command can be used:

              softhsm-keyconv --in Kexample.com.+007+05474.private \
                     --out rsa.pem

       To convert a PKCS#8 file to BIND key files, the following command can be used:

              softhsm-keyconv --in rsa.pem --name example.com. \
                     --ksk --algorithm RSASHA1-NSEC3-SHA1

AUTHOR

       Written by Rickard Bellgrim.

SEE ALSO

       softhsm(1), softhsm.conf(5), openssl(1), named(1), dnssec-keygen(1), dnssec-signzone(1)