Converting between bind and pkcs#8 key file formats
softhsm-keyconv --topkcs8 --in path --out path [--pin PIN]
softhsm-keyconv --tobind --in path [--pin PIN] \
--name name [--ttl ttl --ksk] --algorithm algorithm
softhsm-keyconv can convert between BIND .private-key files and the PKCS#8 file format. This is so that you can import the PKCS#8 file into libsofthsm using the command softhsm. If you have another file format, then openssl probably can help you to convert it into the PKCS#8 file format.
The following files will be created when converting to BIND file format:
Kname+alg_id+key_tag.key
Public key in RR format
Kname+alg_id+key_tag.private
Private key in BIND key format
The three parts of the file name means the following:
name
The owner name given by the --name argument.
alg_id
A numeric representation of the --algorithm argument.
key_tag
Is a checksum of the DNSKEY RDATA.
--topkcs8
Convert from BIND .private-key format to PKCS#8.
Use with --in, --out, and --pin.
--tobind
Convert from PKCS#8 to BIND .private-key format.
Use with --in, --pin, --name, --ttl, --ksk, and --algorithm.
--algorithm algorithm
Specifies which DNSSEC algorithm to use when converting to BIND format. The supported algorithms are:
RSAMD5 DSA RSASHA1 RSASHA1-NSEC3-SHA1 DSA-NSEC3-SHA1 RSASHA256 RSASHA512
--help, -h
Shows the help screen.
--in path
The path to the input file.
--ksk
This will set the flag field to 257 instead of 256 in the DNSKEY RR in the .key file. Indicating that the key is a Key Signing Key. Can be used when converting to BIND format.
--name name
The owner name to use in the BIND file name and in the DNSKEY RR. Do not forget the trailing dot, e.g. "example.com."
--out path
The path to the output file.
--pin PIN
The PIN will be used to encrypt or decrypt the PKCS#8 file depending if we are converting to or from PKCS#8. If not given then the PKCS#8 file is assumed to be unencrypted.
--ttl TTL
The TTL to use for the DNSKEY RR. Optional, this will default to 3600 seconds.
--version, -v
Show the version info.
To convert a BIND .private-key file to a PKCS#8 file, the following command can be used:
softhsm-keyconv --in Kexample.com.+007+05474.private \ --out rsa.pem
To convert a PKCS#8 file to BIND key files, the following command can be used:
softhsm-keyconv --in rsa.pem --name example.com. \ --ksk --algorithm RSASHA1-NSEC3-SHA1
Written by Rickard Bellgrim.
softhsm(1), softhsm.conf(5), openssl(1), named(1), dnssec-keygen(1), dnssec-signzone(1)