Hi @ all,

we are testing with softhsm 2.5 and KNOT 2.7.4...

I try to import the keys inside softhsm into keymgr to sign with this a example zone.

The keymaterial is shown via pkcs11-tool:

[root@centos-test2 ~]# pkcs11-tool --login --list-objects --module /usr/local/lib/softhsm/libsofthsm2.so

Using slot 0 with a present token (0x285d1c08)
Logging in to "testKSK_1".
Please enter User PIN:
Private Key Object; RSA
  label:      testKSK_1
  ID:         a1a1
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
  label:      testZSK_1
  ID:         a1b1
  Usage:      encrypt, verify, wrap
Private Key Object; RSA
  label:      testZSK_1
  ID:         a1b1
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      testKSK_1
  ID:         a1a1
  Usage:      encrypt, verify, wrap

######

The KNOT config is :

[root@centos-test2 ~]# cat /etc/knot/knot.conf
# See knot.conf(5) manual page for documentation.

server:
    listen: [ 127.0.0.1@53, ::1@53 ]

keystore:
  - id: a1a1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"

  - id: a1b1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"


policy:
  - id: manual
    manual: on
    nsec3: on
    nsec3-iterations: 16
    nsec3-opt-out: on
    nsec3-salt-length: 8

zone:
  - domain: example.com
    dnssec-signing: on
    dnssec-policy: manual
    zonefile-load: difference
    file: example.com.zone
    storage: /etc/knot/

log:
  - target: syslog
    any: debug

###################

And if I try to import the key into keymgr i run the command:

[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com. import-pkcs11 a1a1 algorithm=RSASHA256 size=2048 ksk=yes created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)

###

I don't know how I can fix this.. maybe anybody can help me ? The documentation of KNOT is very good.. but at this point it is a little bit insufficient. Does anybody has examples for this ?

Thanks a lot in advance for the help..

best regards

--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail: petrasch@denic.de
http://www.denic.de

PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49  DE61 870E 8841 549B E0AE    

Angaben nach § 25a Absatz 1 GenG: DENIC  eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main