softhsm2-keyconv converts BIND .private-key files to PKCS#8 PEM format so they can be imported into SoftHSM (or any PKCS#11 token) using softhsm2-util.
For other input formats, use
openssl to convert to PKCS#8 first, then import with softhsm2-util.Options
Path to the input file. The file must be in BIND
.private-key format (e.g., Kexample.com.+007+05474.private).Path to the output file. The converted key is written in PKCS#8 PEM format.
A PIN used to encrypt the output PKCS#8 file. If not provided, the output file is written unencrypted.
Show the help screen.
Show version info.
Examples
Convert a BIND key to PKCS#8
Convert and encrypt the output
Pass--pin to protect the output file with a PIN. You will then need to supply the same PIN via --file-pin when importing with softhsm2-util:
BIND-to-SoftHSM workflow
Generate or locate your BIND key
BIND keys are typically generated by
dnssec-keygen and have filenames like Kexample.com.+007+05474.private.See also
softhsm2-util— import keys and manage tokenssofthsm2-migrate— migrate SoftHSM v1 databasessofthsm2.conf(5)— SoftHSM configuration file referenceopenssl(1)— general-purpose key conversiondnssec-keygen(1)— BIND DNSSEC key generation