6 Čec
2018
6 Čec
'18
16:25
Hello,
i think you misunderstood the "keymgr share" command completely :)
I will attempt some basic explanation first.
Knot stores all the key information, metadata and public keys in KASP
database. The private keys are saved either to pem files (PKCS #8 like
storage) or a PKCS #11 (like in your case). For the signing (and mostly
also for manipulation with keys), both KASP DB and private key storage
must contain the relevant key. Copying just the private key (or having
it accessible on more machines at a time) is not good for anything.
The "keymgr share" command is here for sharing keys between different
zones, but clearly on one computer.
If you want to migrate signing Knot from one machine to another, you
shall transfer the configuration file, KASP DB and the private key
storage. It's not needed to call any "share" command afterwards.
Hope this explanation helps :)
Libor
Dne 5.7.2018 v 20:21 Rick van Rein napsal(a):
Hello,
We're building a replicated Signer machine, based on Knot DNS. We have
a PKCS #11 backend for keys, and replication working for it.
On one machine we run
one# keymgr orvelte.nep generate ...
and then use the key hash on the other machine in
two# keymgr orvelte.nep share ...
This, however, leads to a report that the identified key could not be
found. Clearly, there is more to the backing store than just the key
material in PKCS #11.
What is the thing I need to share across the two machines, and how can I
do this?
Thanks,
-Rick