Private keys are secret. These keys should never need to leave the firewall, with the exception of backups. The CA does not need the private key to sign a request.
TNSR can generate RSA key pairs with sizes of 2048, 3072, or 4096 bits. Larger keys are more secure than shorter keys. RSA Keys smaller than 2048 bits are no longer considered secure in practice, and are thus not allowed.
Generate a Key Pair¶
To generate a new key pair named
mycert with a length of 4096 bits:
tnsr# pki private-key mycert generate key-length 4096 -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY-----
The key pair is stored in a file at
Remember that the private key, CSR, and certificate must all use identical names!
Importing a Key Pair¶
In addition to generating a key pair on TNSR, a private key may also be imported from an outside source. The key data can be imported in one of two ways:
pki private-key <name> enterthen copy and paste the PEM data
- Copy the PEM format key file to the TNSR host, then use
pki private-key <name> import <file>to import from a file from the current working directory.
Copy and Paste¶
First, use the
tnsr# pki private-key mycert enter Type or paste a PEM-encoded private key. Include the lines containing 'BEGIN PRIVATE KEY' and 'END PRIVATE KEY'
Next, paste the key data:
-----BEGIN PRIVATE KEY----- <key data> -----END PRIVATE KEY-----
Import from File¶
First, make sure that the copy of the key file is in PEM format.
Next, copy the key file to TNSR and start the CLI from the directory containing
this file. The filename extension is not significant, and may be
txt, or anything else depending on how the file was
Next, use the
tnsr# pki private-key mycert import mycert.key
Other Key Operations¶
To view a list of all current keys known to TNSR:
tnsr# pki private-key list mycert
To view the contents of the private key named
mycert in PEM format:
tnsr# pki private-key mycert get -----BEGIN PRIVATE KEY----- <key data> -----END PRIVATE KEY-----
When making a backup copy of this key, store the backup in a
protected, secure location. Include the armor lines (
making a backup copy of the key.
To delete a key pair which is no longer necessary:
tnsr# pki private-key <name> delete
Do not delete a private key associated with a CSR or Certificate which is still in use!