Generate Key Pairs
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
Tip
This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.
A DNS server running Windows Server® 2008 R2 is required to generate key pairs. Perform this procedure in a secure facility. The keys that you generate are based on the key rollover mechanism you have chosen. For more information about key rollover mechanisms, see Identify the Rollover Mechanism.
Tip
When you configure key lengths, longer key lengths provide greater security but have a greater impact on performance. The length of a ZSK affects performance more than KSK length.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Generating key pairs
Use the following procedures to generate key pairs. Keys are stored in a self-signed certificate in the local computer certificate store, in the MS-DNSSEC container.
To generate a KSK
Open an elevated command prompt.
Type the following command, and then press ENTER:
DnsCmd /OfflineSign /GenKey /Alg rsasha1 /Flags KSK /Length <length> /Zone <zone name> /SSCert /FriendlyName KSK-<zone name>
To generate a ZSK
Open an elevated command prompt.
Type the following command, and then press ENTER:
DnsCmd /OfflineSign /GenKey /Alg rsasha1 /Length <length> /Zone <zone name> /SSCert /FriendlyName ZSK-<zone name>
| Value | Description |
|---|---|
dnscmd |
The command-line tool for managing DNS servers. |
/OfflineSign |
Required. Used with the GenKey, DeleteKey, ImportKey, or SignZone commands to modify certificates and keys or to sign a zone file. |
/GenKey |
Required. Generates a self-signed certificate with a private key. |
/Alg |
Required. Used with rshsha1 to specify the algorithm of the signing key. Currently, only RSA/SHA-1 is supported. |
rshsha1 |
Required. Specifies the RSA/SHA-1 algorithm is used for the signing key. |
/Flags |
Used with KSK to specify the flags in DNSKEY. Currently, only KSK is supported, which indicates that the Zone Key bit and the Secure Entry Point bit are turned on. If /flags is not specified, then only the Zone Key bit is turned on, which indicates a zone signing key. |
KSK |
Specifies the KSK flag in DNSKEY is used. |
/Length |
Required. Used with <length> to specify the number of bits used in the key. |
<length> |
Required. Numerical value of bits used in the key. The allowed values for length are from 512 bits to 4096 bits, in 64 bit increments. |
/Zone |
Required. Used with <zone name> to specify the fully qualified domain name (FQDN) of the zone. |
<zone name> |
Required. The FQDN of the zone. |
/SSCert |
Required. Specifies that the key will be stored in a self-signed certificate. |
/FriendlyName |
Used with KSK-<zone name> or ZSK-<zone name> to specify the friendly name of the self-signed certificate. |
KSK-<zone name> |
Specifies the friendly name of the self-signed certificate used with a KSK. |
ZSK-<zone name> |
Specifies the friendly name of the self-signed certificate used with a ZSK. |
/ValidFrom |
Used with <validfromtime> to specify the start time for the validity period of the certificate. If not specified, the default will be current time minus 1 hour. |
<validfromtime> |
Specifies the local start time for the validity period of the certificate. The required format is YYYYMMDDHHMMSS. |
/ValidTo |
Used with <validtotime> to specify the end time for the validity period of the certificate. If not specified, the certificate will be valid for 5 years. |
<validtotime> |
Specifies the local end time for the validity period of the certificate. The required format is YYYYMMDDHHMMSS. |