|
Table Of Contents
Managing Key Pairs
The following topics are described in this section:
Understanding Key Pairs
RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Aldeman. RSA algorithm is widely used by certificate authorities and SSL servers to generate key pairs. Each certificate authority and each SSL server has its own RSA key pair. The SSL server sends its public key to the certificate authority when enrolling for a certificate. The SSL server uses the certificate to prove its identity to clients when setting up the SSL session.
Note The SSL Services Module supports only general-purpose keys.
When you generate general-purpose keys, only one pair of RSA keys is generated. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate. We recommend that you specify a name for the key pairs.
When you generate RSA keys, you are prompted to enter a modulus length in bits. The SSL Services Module supports modulus lengths of 512, 768, 1024, 1536, and 2048 bits. Although you can specify 512 or 768, we recommend a minimum modulus length of 1024. A longer modulus takes longer to generate and takes longer to use, but it offers stronger security.
Viewing Key Pairs
The Key Pairs page shows all key pairs configured on a Trustpoint.
To view all Key Pairs:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane.
Step 2 Select Trustpoints > Key Pairs from the object selector.
The following information is displayed for Key Pairs:
Select a key pair to view details. The following details are displayed at the lower part of the content window:
Key Pair Details
Click Add to add a new key pair.
Select a key pair from the table, then click Delete to delete a key pair.
Click Import to launch the Key Pair Import Wizard.
Click Export to launch the Key Pair Export Wizard.
Adding Key Pairs
Step 1 Click Setup at the top of the window, click PKI in the left-most pane.
Step 2 Select Trustpoints > Key Pairs from the object selector.
Step 3 Click Add. Add New Key Pair dialog box appears.
Step 4 Modify the appropriate values.
Deleting Key Pairs
You can delete key pairs. Deleting a key pair will delete all Certificates issued using the selected keys.
To delete key pairs:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane. elect Trustpoints > Key Pairs from the object selector.
Step 2 Click Delete. Key Pair Deletion confirmation box appears.
Step 3 Click Yes to delete the key pair.
Key Pair Wizard
You can import and export key pairs in privacy-enhanced mail (PEM) file format. The Key Pair Wizard allows you to import and export key pairs.
Key Pair Import Wizard
The Key Pair wizard allows you to import RSA Key pairs in PEM format to SSLM.
To import a Key Pair:
Step 1 Specify Key Pair Name and Source.
Step 2 Specify Public and Private Keys.
Step 3 Click Finish.
Specify Key Pair Name and Source
This page of the key pair import wizard allows you to enter key pair name and the source from where the key pair has to be imported.
The following fields are displayed:
Public and Private Keys (Local Hard Disk)
If you select Local Hard Disk, the following fields appear:
Public and Private Keys (Copy-and-Paste)
If you select Copy-and-Paste, the following fields appear:
Public and Private Keys (Remote System)
If you select Remote System, the following fields appear:
Key Pair Export Wizard
The Key Pair Export Wizard allows you to export an RSA key pair in PEM format.
You can export key pairs to a local hard disk or a remote system. Alternatively you can copy-and-paste the key pair values.
To export key pairs:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Key Pairs from the object selector.
Step 2 Select a Key Pair from the table.
Step 3 Click Export. The Export Key Pair dialog box appears.
Step 4 Select a Destination type.
Step 5 Specify destination file names and encryption parameters. Fields in the dialog box varies according to the destination type you select.
Step 6 Click Finish to complete exporting.
Key Pair Destination
The Key Pair Destination page of the wizard allows you to select the key pair destination.
You can select any one of the destination types:
•Local Hard Disk—to export the keys to a client workstation.
•Copy-and-Paste—to copy-and-paste the public and private keys.
•Remote System—to export the keys to a remote system using TFTP, FTP, SCP, or RCP.
If you have selected Local Hard disk, next step is to specify Destination Files and Encryption Parameters (Local Hard Disk).
If you have selected Copy-and-paste, next step is to specify Encryption Parameters (Copy-and-paste).
If you have selected Remote System, next step is to specify Destination Files and Encryption Parameters (Remote System).
Destination Files and Encryption Parameters (Local Hard Disk)
The Destination Files and Encryption Parameters page of the wizards allows you to enter the destination files names of the public and private key on the client station, and encryption parameters.
If you select Local Hard Disk the following fields appear:
Enter the details, then click Next.
Encryption Parameters (Copy-and-paste)
You can enter the encryption type and pass phrase to protect the private key.
The following fields appear:
Destination Files and Encryption Parameters (Remote System)
The Destination Files and Encryption Parameters page of the wizards allows you to enter the destination files names of the public and private key on the client station, and encryption parameters.
If you select Remote System, the following fields appear:
Key Pair Wizard Summary
When you use a wizard to perform a configuration, the wizard's Summary screen displays the values that you have configured. You can examine those values and click the wizard's Back button to return to a screen on which you need to make a change. When you have made the changes, click the Finish button to save your changes and leave the wizard.
Key Pair Wizard Status
The Key Pair Wizard Status dialog box provides the status details of the Trustpoint configuration tasks. The details displayed vary according to the task you selected. The dialog box displays the status against each task.
The configuration performed on the module is displayed in the content area. If any task fails, you can review the task details and take necessary action.
How Do I...
The How do I section explains how to accomplish a task using the CVDM.
The following tasks are explained:
• How Do I Add a New Key Pair?
How Do I Add a New Key Pair?
To add a new key pair:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane.
Step 2 Select Trustpoints > Key Pairs from the object selector.
Step 3 Click Add. Add New Key Pair dialog box appears.
Step 4 Modify the appropriate values in the page, the click OK.
How Do I Import a Key Pair?
You can use the key pair import wizard to import a key pair. The Key Pair wizard allows you to import RSA Key pairs in PKCS12 or PEM format to SSLM.
To import a key pair:
Step 1 Launch the Key Pair Import Wizard.
Step 2 Enter key pair name and the source from where the key pair has to be imported.
Step 3 Enter the public and private key information.
Posted: Fri Apr 15 01:12:10 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.