Key Management¶
Warning
Private keys are secret. These keys should never need to leave the router, with the exception of backups. The CA does not need the private key to sign a request.
TNSR can generate RSA key pairs with sizes of 2048, 3072, or 4096 bits. Larger keys are more secure than shorter keys. RSA Keys smaller than 2048 bits are no longer considered secure in practice, and are thus not allowed.
Generate a Key Pair¶
To generate a new key pair named mycert
with a length of 4096 bits:
tnsr# pki private-key mycert generate key-length 4096
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
The key pair is stored in a file at /etc/pki/tls/tnsr/private/<name>.key
.
Note
Remember that the private key, CSR, and certificate must all use identical names!
Importing a Key Pair¶
In addition to generating a key pair on TNSR, a private key may also be imported from an outside source. The key data can be imported in one of two ways:
Use
pki private-key <name> enter
then copy and paste the PEM dataCopy the PEM format key file to the TNSR host, then use
pki private-key <name> import <file>
to import from a file from the current working directory.
Copy and Paste¶
First, use the enter
command:
tnsr# pki private-key mycert enter
Type or paste a PEM-encoded private key.
Include the lines containing 'BEGIN PRIVATE KEY' and 'END PRIVATE KEY'
Next, paste the key data:
-----BEGIN PRIVATE KEY-----
<key data>
-----END PRIVATE KEY-----
Import from File¶
First, make sure that the copy of the key file is in PEM format.
Next, copy the key file to TNSR and start the CLI from the directory containing
this file. The filename extension is not significant, and may be key
,
pem
, txt
, or anything else depending on how the file was
originally created.
Next, use the import
command:
tnsr# pki private-key mycert import mycert.key
Other Key Operations¶
To view a list of all current keys known to TNSR:
tnsr# pki private-key list
mycert
To view the contents of the private key named mycert
in PEM format:
tnsr# pki private-key mycert get
-----BEGIN PRIVATE KEY-----
<key data>
-----END PRIVATE KEY-----
Warning
When making a backup copy of this key, store the backup in a protected,
secure location. Include the armor lines (BEGIN
, END
) when making a
backup copy of the key.
To delete a key pair which is no longer necessary:
tnsr# pki private-key <name> delete
Warning
Do not delete a private key associated with a CSR or Certificate which is still in use!