- ubuntu 20.04
- libssl 1.1.1f
---
apt -y install build-essential
apt -y install libssl-dev pkg-config
export PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig/
wget https://github.com/OpenSC/libp11/releases/download/libp11-0.4.12/libp11-0.4.12.tar.gz
tar -xzf libp11-0.4.12.tar.gz
cd libp11-0.4.12/
./configure prefix="/usr/local/libp11/"
make && make install
export LD_LIBRARY_PATH=/usr/local/libp11/lib/:$LD_LIBRARY_PATH
mkdir -p /opt/utimaco/bin
mkdir -p /opt/utimaco/lib
mkdir /etc/utimaco
cp csadm p11tool2 /opt/utimaco/bin/
chmod +x /opt/utimaco/bin/*
cp ADMIN.key /opt/utimaco/bin/
cp libcs_pkcs11_R3.so /opt/utimaco/lib/
cp cs_pkcs11_R3.cfg /etc/utimaco/
# openssl.conf
EOF
openssl_conf = openssl_init
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /opt/utimaco/lib/libcs_pkcs11_R3.so
init = 0
EOF
systemctl disable systemd-resolved.service
systemctl stop systemd-resolved
rm /etc/resolv.conf
cat << EOF > /etc/resolv.conf
nameserver 192.168.1.1
EOF
add-apt-repository ppa:isc/bind
apt update
apt -y install bind9
/opt/utimaco/bin/p11tool2 slot=0 Label=bind-hsm Login=ADMIN,/opt/utimaco/bin/ADMIN.key InitToken=ask
/opt/utimaco/bin/p11tool2 slot=0 LoginSO=ask InitPin=ask
/opt/utimaco/bin/p11tool2 slot=0 LoginUser=ask PubKeyAttr=CKA_LABEL="ksk" PrvKeyAttr=CKA_LABEL="ksk" GenerateKeyPair=RSA
/opt/utimaco/bin/p11tool2 slot=0 LoginUser=ask PubKeyAttr=CKA_LABEL="zsk" PrvKeyAttr=CKA_LABEL="zsk" GenerateKeyPair=RSA
/opt/utimaco/bin/p11tool2 slot=0 LoginUser=ask ListObjects
dnssec-keyfromlabel -E pkcs11 -f KSK -a RSASHA256 -l "pkcs11:token=bind-hsm;object=ksk" example.net
dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind-hsm;object=zsk" example.net
dnssec-signzone -E pkcs11 -S -o example.net db.example.net
08 พฤศจิกายน 2566
bind9 DNSSEC key with utimaco HSM
