SYNOPSIS
softhsm-keyconv --topkcs8 --in path --out path [--pin PIN]softhsm-keyconv --tobind --in path [--pin PIN] \
--name name [--ttl ttl --ksk] --algorithm algorithm
DESCRIPTION
softhsm-keyconv can convert between BIND .private-key files and the PKCS#8 file format. This is so that you can import the PKCS#8 file into libsofthsm using the command softhsm. If you have another file format, then openssl probably can help you to convert it into the PKCS#8 file format.The following files will be created when converting to BIND file format:
- Kname+alg_id+key_tag.key
- Public key in RR format
- Kname+alg_id+key_tag.private
- Private key in BIND key format
- The three parts of the file name means the following:
-
-
- name
- The owner name given by the --name argument.
- alg_id
- A numeric representation of the --algorithm argument.
- key_tag
- Is a checksum of the DNSKEY RDATA.
-
OPTIONS
- --topkcs8
-
Convert from BIND .private-key format to PKCS#8.
Use with --in, --out, and --pin. - --tobind
-
Convert from PKCS#8 to BIND .private-key format.
Use with --in, --pin, --name, --ttl, --ksk, and --algorithm. - --algorithm algorithm
-
Specifies which DNSSEC
algorithm
to use when converting to BIND format.
The supported algorithms are:
-
-
RSAMD5 DSA RSASHA1 RSASHA1-NSEC3-SHA1 DSA-NSEC3-SHA1 RSASHA256 RSASHA512
-
-
- --help, -h
- Shows the help screen.
- --in path
- The path to the input file.
- --ksk
- This will set the flag field to 257 instead of 256 in the DNSKEY RR in the .key file. Indicating that the key is a Key Signing Key. Can be used when converting to BIND format.
- --name name
- The owner name to use in the BIND file name and in the DNSKEY RR. Do not forget the trailing dot, e.g. "example.com."
- --out path
- The path to the output file.
- --pin PIN
- The PIN will be used to encrypt or decrypt the PKCS#8 file depending if we are converting to or from PKCS#8. If not given then the PKCS#8 file is assumed to be unencrypted.
- --ttl TTL
- The TTL to use for the DNSKEY RR. Optional, this will default to 3600 seconds.
- --version, -v
- Show the version info.
EXAMPLES
To convert a BIND .private-key file to a PKCS#8 file, the following command can be used:
-
softhsm-keyconv --in Kexample.com.+007+05474.private \
--out rsa.pem
To convert a PKCS#8 file to BIND key files, the following command can be used:
-
softhsm-keyconv --in rsa.pem --name example.com. \
--ksk --algorithm RSASHA1-NSEC3-SHA1