Provided by: softhsm_1.3.5-1ubuntu3_amd64
NAME
softhsm-keyconv - converting between BIND and PKCS#8 key file formats
SYNOPSIS
softhsm-keyconv --topkcs8 --in path --out path [--pin PIN] softhsm-keyconv --tobind --in path [--pin PIN] \ --name name [--ttl ttl --ksk] --algorithm algorithm
DESCRIPTION
softhsm-keyconv can convert between BIND .private-key files and the PKCS#8 file format. This is so that you can import the PKCS#8 file into libsofthsm using the command softhsm. If you have another file format, then openssl probably can help you to convert it into the PKCS#8 file format. The following files will be created when converting to BIND file format: Kname+alg_id+key_tag.key Public key in RR format Kname+alg_id+key_tag.private Private key in BIND key format The three parts of the file name means the following: name The owner name given by the --name argument. alg_id A numeric representation of the --algorithm argument. key_tag Is a checksum of the DNSKEY RDATA.
OPTIONS
--topkcs8 Convert from BIND .private-key format to PKCS#8. Use with --in, --out, and --pin. --tobind Convert from PKCS#8 to BIND .private-key format. Use with --in, --pin, --name, --ttl, --ksk, and --algorithm. --algorithm algorithm Specifies which DNSSEC algorithm to use when converting to BIND format. The supported algorithms are: RSAMD5 DSA RSASHA1 RSASHA1-NSEC3-SHA1 DSA-NSEC3-SHA1 RSASHA256 RSASHA512 --help, -h Shows the help screen. --in path The path to the input file. --ksk This will set the flag field to 257 instead of 256 in the DNSKEY RR in the .key file. Indicating that the key is a Key Signing Key. Can be used when converting to BIND format. --name name The owner name to use in the BIND file name and in the DNSKEY RR. Do not forget the trailing dot, e.g. "example.com." --out path The path to the output file. --pin PIN The PIN will be used to encrypt or decrypt the PKCS#8 file depending if we are converting to or from PKCS#8. If not given then the PKCS#8 file is assumed to be unencrypted. --ttl TTL The TTL to use for the DNSKEY RR. Optional, this will default to 3600 seconds. --version, -v Show the version info.
EXAMPLES
To convert a BIND .private-key file to a PKCS#8 file, the following command can be used: softhsm-keyconv --in Kexample.com.+007+05474.private \ --out rsa.pem To convert a PKCS#8 file to BIND key files, the following command can be used: softhsm-keyconv --in rsa.pem --name example.com. \ --ksk --algorithm RSASHA1-NSEC3-SHA1
AUTHOR
Written by Rickard Bellgrim.
SEE ALSO
softhsm(1), softhsm.conf(5), openssl(1), named(1), dnssec-keygen(1), dnssec-signzone(1)