.TH SOFTHSM-KEYCONV 1 "21 December 2009" "SoftHSM"
.\" $Id$
.SH NAME
softhsm-keyconv \- converting between BIND and PKCS#8 key file formats
.SH SYNOPSIS
.B softhsm-keyconv \-\-topkcs8
.B \-\-in
.I path
.B \-\-out
.I path
.RB [ \-\-pin
.IR PIN ]
.br
.B softhsm-keyconv \-\-tobind
.B \-\-in
.I path
.RB [ \-\-pin
.IR PIN ]
\\
.br
.ti +0.7i
.B \-\-name
.I name
.RB [ \-\-ttl
.I ttl
.BR \-\-ksk ]
.B \-\-algorithm
.I algorithm
.SH DESCRIPTION
.B softhsm-keyconv
can convert between BIND .private-key files and the PKCS#8 file format.
This is so that you can import the PKCS#8 file into
libsofthsm using the command
.BR softhsm .
If you have another file format, then
.B openssl
probably can help you to convert it into the PKCS#8 file format.
.LP
The following files will be created when converting to BIND file format:
.TP
K\fIname\fR+\fIalg_id\fR+\fIkey_tag\fR.key
Public key in RR format
.TP
K\fIname\fR+\fIalg_id\fR+\fIkey_tag\fR.private
Private key in BIND key format
.TP
The three parts of the file name means the following:
.RS
.TP
.I name
The owner name given by the
.B \-\-name
argument.
.TP
.I alg_id
A numeric representation of the
.B \-\-algorithm
argument.
.TP
.I key_tag
Is a checksum of the DNSKEY RDATA.
.RE
.SH OPTIONS
.TP
.B \-\-topkcs8
Convert from BIND .private-key format to PKCS#8.
.br
Use with
.BR \-\-in ,
.BR \-\-out ,
and
.BR \-\-pin .
.TP
.B \-\-tobind
Convert from PKCS#8 to BIND .private-key format.
.br
Use with
.BR \-\-in ,
.BR \-\-pin ,
.BR \-\-name ,
.BR \-\-ttl ,
.BR \-\-ksk ,
and
.BR \-\-algorithm .
.TP
.B \-\-algorithm \fIalgorithm\fR
Specifies which DNSSEC
.I algorithm
to use when converting to BIND format.
The supported algorithms are:
.RS
.RS
.nf
RSAMD5
DSA
RSASHA1
RSASHA1-NSEC3-SHA1
DSA-NSEC3-SHA1
RSASHA256
RSASHA512
.fi
.RE
.RE
.TP
.B \-\-help\fR, \fB\-h\fR
Shows the help screen.
.TP
.B \-\-in \fIpath\fR
The 
.I path
to the input file.
.TP
.B \-\-ksk
This will set the flag field to 257 instead of 256
in the DNSKEY RR in the .key file.
Indicating that the key is a Key Signing Key.
Can be used when converting to BIND format.
.TP
.B \-\-name \fIname\fR
The owner
.I name
to use in the BIND file name and in the DNSKEY RR.
Do not forget the trailing dot, e.g. "example.com."
.TP
.B \-\-out \fIpath\fR
The
.I path
to the output file.
.TP
.B \-\-pin \fIPIN\fR
The
.I PIN
will be used to encrypt or decrypt the PKCS#8
file depending if we are converting to or from PKCS#8.
If not given then the PKCS#8 file is assumed to be unencrypted.
.TP
.B \-\-ttl \fITTL\fR
The
.I TTL
to use for the DNSKEY RR.
Optional, this will default to 3600 seconds.
.TP
.B \-\-version\fR, \fB\-v\fR
Show the version info.
.SH EXAMPLES
To convert a BIND .private-key file to a PKCS#8 file, the following command can be used:
.LP
.RS
.nf
softhsm-keyconv \-\-in Kexample.com.+007+05474.private \\
.ti +0.7i
\-\-out rsa.pem
.fi
.RE
.LP
To convert a PKCS#8 file to BIND key files, the following command can be used:
.LP
.RS
.nf
softhsm-keyconv \-\-in rsa.pem \-\-name example.com. \\
.ti +0.7i
\-\-ksk \-\-algorithm RSASHA1-NSEC3-SHA1
.fi
.RE
.LP
.SH AUTHOR
Written by Rickard Bellgrim.
.SH "SEE ALSO"
.IR softhsm (1),
.IR softhsm.conf (5),
.IR openssl (1),
.IR named (1),
.IR dnssec-keygen (1),
.IR dnssec-signzone (1)