From: Aki Tuomi Date: Mon, 19 Oct 2015 13:26:41 +0000 (+0300) Subject: Update documentation on PKCS#11 X-Git-Tag: dnsdist-1.0.0-alpha1~252^2~5^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6540ab481c9567ea09a3150aaa9b0f4c401d79d;p=thirdparty%2Fpdns.git Update documentation on PKCS#11 --- diff --git a/docs/markdown/authoritative/dnssec.md b/docs/markdown/authoritative/dnssec.md index ce380f0887..93ee920beb 100644 --- a/docs/markdown/authoritative/dnssec.md +++ b/docs/markdown/authoritative/dnssec.md @@ -281,6 +281,8 @@ For further details, please see [the `pdnssec`](#pdnssec) documentation. # PKCS\#11 support **Note**: This feature is experimental, and not ready for production. Use at your own risk! +**Note**: As of version 4.0, slot IDs are deprecated, and you are expected to use slot label instead + To enable it, compile PowerDNS Authoritative Server using --enable-experimental-pkcs11 flag on configure. This requires you to have p11-kit libraries and headers. You can also log on to the tokens after starting server, in this case you need to edit your PKCS#11 cryptokey record and remove PIN or set it empty. PIN is required @@ -314,10 +316,10 @@ Instructions on how to setup SoftHSM to work with the feature after compilation sudo pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk|zone-zsk --slot-index slot-number ``` -- Assign the keys using +- Assign the keys using (note that token label is not necessarely same as object label, see p11-kit -l) ``` - pdnssec hsm assign zone rsasha256 ksk|zsk softhsm slot-id pin zone-ksk|zsk + pdnssec hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk ``` - Verify that everything worked, you should see valid data there @@ -388,7 +390,7 @@ Instructions on how to use CryptAS [`Athena IDProtect Key USB Token V2J`](http:/ - Assign the keys using ``` - pdnssec hsm assign zone rsasha256 ksk|zsk softhsm slot-id pin zone-ksk|zsk + pdnssec hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk ``` - Verify that everything worked, you should see valid data there.