ods-hsmutil man page

ods-hsmutil — OpenDNSSEC HSM utility


ods-hsmutil [-c config] [-v] command [options]


The ods-hsmutil utility is mainly used for debugging or testing. It is  designed to interact directly with your HSM and can be used to manually  list, create or delete keys. It can also be used to perform a set of  basics HSM tests. Be careful before creating or deleting keys using  ods-hsmutil, as the changes are not synchronized with the KASP Enforcer.

The repositories are configured by the user in the OpenDNSSEC configuration file. The configuration contains the name of the repository, the token label, the user PIN, and the path to its shared library.



If there is no PIN in conf.xml, then this command will ask for it and login. The PINs are stored in a shared memory and are accessible to the other daemons.


Will erase the semaphore and the shared memory containing any credentials. Authenticated processes will still be able to interact with the HSM.

list [repository]

List the keys that are available in all or one repository

generate repository rsa keysize

Generate a new RSA key with the given keysize in the repository

remove id

Delete the key with the given id

purge repository

Delete all keys in one repository

dnskey id name

Create a DNSKEY RR for the given owner name based on the key with this id

test repository

Perform a number of tests on a repository


Show detailed information about all repositories


-c config

Path to an OpenDNSSEC configuration file

(defaults to /etc/opendnssec/conf.xml)


Show the help screen


Output more information by increasing the verbosity level

See Also

ods-auditor(1), ods-control(8), ods-enforcerd(8), ods-hsmspeed(1), ods-kaspcheck(1), ods-ksmutil(1), ods-signer(8), ods-signerd(8), ods-timing(5), opendnssec(7), http://www.opendnssec.org/


ods-hsmutil was written by Jakob Schlyter as part of the OpenDNSSEC project.

Referenced By

ods-control(8), ods-enforcerd(8), ods-getconf(8), ods-hsmspeed(1), ods-kaspcheck(1), ods-ksmutil(1), ods-signer(8), ods-signerd(8), ods-timing(5), opendnssec(7).

February 2010 OpenDNSSEC ods-hsmutil