5 Srp
2021
5 Srp
'21
22:23
Thanks. My assumption is that the metadata contains information that will
enable knot to get the HSM to access the correct private key when this key
is needed, right?
This aside, do you guys have any documents where the KASP database is
described in detail?
On Thu, Aug 5, 2021 at 2:10 PM libor.peltan <libor.peltan(a)nic.cz> wrote:
Hi Luveh,
I agree the quoted sentence from the documentation is pretty brief, and
thus inaccurate.
The KASP database always contains just the public keys and some key
metadata.
The private keys are stored in a keystore, i.e. PEM files or (Soft)HSM
according to configuration.
This is also true for new keys generated with keymgr.
Thanks anyway for your question,
Libor
Dne 05. 08. 21 v 21:50 Luveh Keraph napsal(a):
Tha man page for keymgr says that the keymgr generate command
(quote) Generates new DNSSEC key and stores it in KASP database. (unquote)
What is exactly stored in the KASP database?
The reason I am asking is because the actual cryptographic key will be
available in the clear only when using the default key store. When using an
HSM (or event softhsm) only the HSM will have access to the key in the
clear. So, what is it that gets stored in the KASP database when an HSM is
used for generating keys?