Public Key InfrastructureΒΆ

TNSR supports Public Key Infrastructure (PKI) X.509 certificates for various uses by the router and supporting software. PKI uses a pair of keys to encrypt and authenticate data, one public and one private. The private key is known only to its owner, and the public key can be known by anyone.

PKI works in an asymmetric fashion. A message is encrypted using the public key, and can only be decrypted by the private key. The private key can also be used to digitally sign a message to prove it originated from the key holder, and this signature can be validated using the public key. Combined with certificates, this provides a means to identify an entity and encrypt communications.

A Certificate Authority (CA) independently verifies the identity of the entity making a request for a certificate, and then signs a request, yielding a certificate. This certificate can then be validated against the certificate of the CA itself by anyone who has access to that CA certificate. In some cases, this CA may be an intermediate, meaning it is also signed by another CA above it. All together, this creates a chain of trust starting with the root CA all the way down to individual certificates. So as long as the CA is trustworthy, any certificate it has signed can be considered trustworthy.

Due to their size and private nature, certificates and keys are stored on the filesystem and not in the XML configuration. PKI files are stored under the following locations:

  • Certificate Authorities: /etc/pki/tls/tnsr/CA/
  • Certificates and Signing Requests: /etc/pki/tls/tnsr/certs/
  • Private Keys: /etc/pki/tls/tnsr/private/

A key pair, CSR, and certificate associated with each other must all have the same name.

The process for creating a certificate is as follows:

  • Create keys for name.
  • Create a certificate signing request for name with the attributes to use for the certificate.
  • Submit the CSR to a CA, which will sign the CSR and return a certificate.
  • Enter or import the certificate contents for name into TNSR.