Smart Card and TPM DNSSEC HowTo - Richard Lamb 2012 See web page for more detailed and updated info We have 3 smart card examples and one TPM example: For smart cards: get a USB smartcard reader (SCR331 $12) get a smartcard (Aventra $11) boot DVD and login as root password dnssec Note: If not using the Aventra myid smasrt card, replace PKCS11_LIBRARY_PATH="/opt/dccom/lib/opensc-pkcs11.so" with different pkcs11 library in various scripts such as: carderase cardrng cardsign genksk-sc genzsk-sc signem-sc signzone-99 signzone-sc Routines that also depend on Aventra card: carddel carderase cardshow cardwrite Offline Smart Card KSK + online software ZSKs carderase (123456 for PIN and Security Officer PIN if asked) export DOMAIN=yourdomain (not ending dot) optional: export TEST="yes" (short signature times for testing) cardrng (in a second terminal window. PIN from above.) genzsk genksk (filename like "temp") Stop cardrng cardwrite (CKA_LABEL like "Kdate", filename and PIN from above.) cardshow cardsign (passphrase to encrypt keybundles, KSK CKA_LABEL and PIN from above) optional: signzone (passphrase for keybundles needed. starts local nameserver and runs sample signer process) Offline Smart Card KSK + online ZSKs carderase (123456 for PIN and Security Officer PIN if asked) export DOMAIN=yourdomain (not ending dot) optional: export TEST="yes" (short signature times for testing) genzsk-sc (PIN from above.) genksk-sc (PIN from above.) cardsign-sc (KSK CKA_LABEL is what genksk-sc returned, e.g., Kyourdomain.+008+17118) optional: signzone-sc (starts local nameserver and runs sample signer process) Online Smart Card KSK + ZSKs + automated in-line signing carderase (123456 for PIN and Security Officer PIN if asked) export DOMAIN=yourdomain (not ending dot) optional: export TEST="yes" (short signature times for testing) signzone-99 (PIN from above. Generates KSK, ZSK, starts local nameserver as automated in-line signer) TPM Work Note, trousers, opencrptoki, tpm-tools are very finicky and building a local version for debugging requires pulling in a lot of cruft. Opencryptoki is a moving target but version 2.4 seems to have attained some stability but beware of old TPM systems that will fail after a few thousand C_Signs. Versions for this demo on Centos 6.0: tpm-tools-1.3.4-2.el6.i686.rpm tpm-tools-pkcs11-1.3.4-2.el6.i686.rpm opencryptoki-2.4.2-2. el6.i686.rpm opencryptoki-libs-2.4.2-2. el6.i686.rpm trousers-0.3.4-4. el6.i686.rpm Online TPM KSK + ZSKs + automated in-line signing REBOOT MACHINE AND GO TO BIOS TO ACTIVATE AND CLEAR TPM FIRST. /etc/init.d/tcsd start (should return "OK") tpm_version (should return TPM info) tpm_createek (this may not need to be done unless the TPM has never been initialized) tpm_takeownership (this will take a while generating 2048 bit SRK on the TPM. Try again if an I/O error occurs.) tpm_restrictsrk -a (just for password. for this and other TPM error messages, see /var/log/messages) /etc/init.d/pkcsslotd stop (may already be stopped but to make sure) rm -rf /tmp/.pkcs11spinloc /var/lib/opencryptoki/tpm /etc/init.d/pkcsslotd start (should return "OK") tpmtoken_init -l debug (123456 for security officer and user. Note: do not use 87654321 for SO or 12345678 for user. This will take a while) pkcsconf -t (to check that all worked) export DOMAIN=yourdomain (no ending dot) optional: export TEST="yes" (short signature times for testing) signzone-tpm (PIN from above. This will take a while. enerates KSK, ZSK, starts local nameserver as automated in-line signer) END