Manual Chapter : Generating External HSM KeyCert Pairs for DNSSEC

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Generating external HSM key and certificate pairs for manually managed DNSSEC keys

When the BIG-IP® system is a BIG-IP Global Traffic Manager™ (GTM™), you can use the Thales nShield Connect to store and manage DNSSEC keys.

For additional information about using Thales nShield Connect, refer to the Thales website:

https://www.thales-esecurity.com/products-and-services/products-and-services /hardware-security-modules/general-purpose-hsms/nshield-connect

Task list

Generating an external key for creating manually managed DNSSEC keys

Before you generate the key, make sure that the Thales nShield Connect client is running on all BIG-IP® GTM™ devices in the configuration synchronization group.
You can use the fipskey.nethsm utility to generate keys and self-signed certificates to be used to create manually managed DNSSEC private keys. You can use the generated .csr file to request a signed certificate from a certificate authority (CA).
Tip: For information about creating automatically managed DNSSEC private keys, see Configuring DNSSEC with an external HSM in BIG-IP® DNS Services: Implementations at http://support.f5.com.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Generate a key: fipskey.nethsm --genkey -o <output_file>
    Note: The output file name cannot include periods.
    This example generates four files, using the default protection type (token):
    fipskey.nethsm --genkey -o my_key
    • /config/ssl/ssl.key/my_key.key (local key)
    • /config/ssl/ssl.csr/my_key.csr (CSR file)
    • /config/ssl/ssl.crt/my_key.crt (self-signed certificate)
    • /opt/nfast/kmdata/local/filename (protected key)
    The local key points to the protected key, which is encrypted.
After you generate a key and certificates, you need to load the local key into the BIG-IP configuration using tmsh.

Configuring hardware-protected HSM keys using tmsh

You can use the Traffic Management Shell (tmsh) to load the corresponding local HSM (FIPS) keys into the BIG-IP® system.
Note: This procedure loads the local key, not the actual hardware key, which never leaves the HSM.
  1. Log in to the command-line interface of the BIG-IP system using an account with administrator privileges.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. Configure the local key. install sys crypto key <key_object_name> from-local-file <keyname>

    This example loads the external HSM key named my_key.key from a local key file stored in the /config/ssl/ssl.key/ directory:

    install sys crypto key my_key.key from-local-file /config/ssl/ssl.key/my_key.key The Thales client software maps the local key to the appropriate protected key.

Adding certificates using tmsh

You can use the Traffic Management Shell (tmsh) to add existing certificates to the BIG-IP® system configuration.
  1. Log in to the command-line interface of the BIG-IP system using an account with administrator privileges.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. Add the certificate. install sys crypto cert <cert_object_name> from-local-file <path_to_cert_file>

    This example loads the certificate named my_key.crt from a local certificate file stored in the /config/ssl/ssl.crt/ directory:

    install sys crypto cert my_key.crt from-local-file /config/ssl/ssl.crt/my_key.crt

Creating a DNSSEC key using an external HSM key and certificate

Before you create a DNSSEC key using an imported key and certificate, make sure that you have generated a key and certificate using Thales nShield Connect, and that you have imported the key and certificate.
You can create manually managed DNSSEC zone-signing and key-signing keys for use with an external HSM. For more information, see Configuring DNSSEC with an external HSM in BIG-IP® DNS Services: Implementations at http://support.f5.com.