Key Management

Warning

Private keys are secret. These keys should never need to leave the firewall, with the exception of backups. The CA does not need the private key to sign a request.

TNSR can generate RSA key pairs with sizes of 2048, 3072, or 4096 bits. Larger keys are more secure than shorter keys. RSA Keys smaller than 2048 bits are no longer considered secure in practice, and are thus not allowed.

Generate a Key Pair

To generate a new key pair named mycert with a length of 4096 bits:

tnsr# pki private-key mycert generate key-length 4096
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----

The key pair is stored in a file at /etc/pki/tls/tnsr/private/<name>.key.

Note

Remember that the private key, CSR, and certificate must all use identical names!

Importing a Key Pair

In addition to generating a key pair on TNSR, a private key may also be imported from an outside source. The key data can be imported in one of two ways:

  • Use pki private-key <name> enter then copy and paste the PEM data

  • Copy the PEM format key file to the TNSR host, then use pki private-key <name> import <file> to import from a file from the current working directory.

Copy and Paste

First, use the enter command:

tnsr# pki private-key mycert enter
Type or paste a PEM-encoded private key.
Include the lines containing 'BEGIN PRIVATE KEY' and 'END PRIVATE KEY'

Next, paste the key data:

-----BEGIN PRIVATE KEY-----
<key data>
-----END PRIVATE KEY-----

Import from File

First, make sure that the copy of the key file is in PEM format.

Next, copy the key file to TNSR and start the CLI from the directory containing this file. The filename extension is not significant, and may be key, pem, txt, or anything else depending on how the file was originally created.

Next, use the import command:

tnsr# pki private-key mycert import mycert.key

Other Key Operations

To view a list of all current keys known to TNSR:

tnsr# pki private-key list
  mycert

To view the contents of the private key named mycert in PEM format:

tnsr# pki private-key mycert get
-----BEGIN PRIVATE KEY-----
<key data>
-----END PRIVATE KEY-----

Warning

When making a backup copy of this key, store the backup in a protected, secure location. Include the armor lines (BEGIN, END) when making a backup copy of the key.

To delete a key pair which is no longer necessary:

tnsr# pki private-key <name> delete

Warning

Do not delete a private key associated with a CSR or Certificate which is still in use!