Share via


Generate Key Pairs

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Tip

This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

A DNS server running Windows ServerĀ® 2008 R2 is required to generate key pairs. Perform this procedure in a secure facility. The keys that you generate are based on the key rollover mechanism you have chosen. For more information about key rollover mechanisms, see Identify the Rollover Mechanism.

Tip

When you configure key lengths, longer key lengths provide greater security but have a greater impact on performance. The length of a ZSK affects performance more than KSK length.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Generating key pairs

Use the following procedures to generate key pairs. Keys are stored in a self-signed certificate in the local computer certificate store, in the MS-DNSSEC container.

To generate a KSK

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    DnsCmd /OfflineSign /GenKey /Alg rsasha1 /Flags KSK /Length <length> /Zone <zone name> /SSCert /FriendlyName KSK-<zone name>
    

To generate a ZSK

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    DnsCmd /OfflineSign /GenKey /Alg rsasha1 /Length <length> /Zone <zone name> /SSCert /FriendlyName ZSK-<zone name>
    
Value Description

dnscmd

The command-line tool for managing DNS servers.

/OfflineSign

Required. Used with the GenKey, DeleteKey, ImportKey, or SignZone commands to modify certificates and keys or to sign a zone file.

/GenKey

Required. Generates a self-signed certificate with a private key.

/Alg

Required. Used with rshsha1 to specify the algorithm of the signing key. Currently, only RSA/SHA-1 is supported.

rshsha1

Required. Specifies the RSA/SHA-1 algorithm is used for the signing key.

/Flags

Used with KSK to specify the flags in DNSKEY. Currently, only KSK is supported, which indicates that the Zone Key bit and the Secure Entry Point bit are turned on. If /flags is not specified, then only the Zone Key bit is turned on, which indicates a zone signing key.

KSK

Specifies the KSK flag in DNSKEY is used.

/Length

Required. Used with <length> to specify the number of bits used in the key.

<length>

Required. Numerical value of bits used in the key. The allowed values for length are from 512 bits to 4096 bits, in 64 bit increments.

/Zone

Required. Used with <zone name> to specify the fully qualified domain name (FQDN) of the zone.

<zone name>

Required. The FQDN of the zone.

/SSCert

Required. Specifies that the key will be stored in a self-signed certificate.

/FriendlyName

Used with KSK-<zone name> or ZSK-<zone name> to specify the friendly name of the self-signed certificate.

KSK-<zone name>

Specifies the friendly name of the self-signed certificate used with a KSK.

ZSK-<zone name>

Specifies the friendly name of the self-signed certificate used with a ZSK.

/ValidFrom

Used with <validfromtime> to specify the start time for the validity period of the certificate. If not specified, the default will be current time minus 1 hour.

<validfromtime>

Specifies the local start time for the validity period of the certificate. The required format is YYYYMMDDHHMMSS.

/ValidTo

Used with <validtotime> to specify the end time for the validity period of the certificate. If not specified, the certificate will be valid for 5 years.

<validtotime>

Specifies the local end time for the validity period of the certificate. The required format is YYYYMMDDHHMMSS.

See Also

Concepts

Checklist: Signing a Zone
When to Re-sign a Zone File