Table Of Contents
Managing Key Pairs
Understanding Key Pairs
Viewing Key Pairs
Adding Key Pairs
Deleting Key Pairs
Key Pair Wizard
Key Pair Import Wizard
Key Pair Export Wizard
How Do I...
How Do I Add a New Key Pair?
How Do I Import a Key Pair?
Managing Key Pairs
The following topics are described in this section:
•
Understanding Key Pairs
• Viewing Key Pairs
• Adding Key Pairs
• Deleting Key Pairs
• Key Pair Wizard
• How Do I...
Understanding Key Pairs
RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Aldeman. RSA algorithm is widely used by certificate authorities and SSL servers to generate key pairs. Each certificate authority and each SSL server has its own RSA key pair. The SSL server sends its public key to the certificate authority when enrolling for a certificate. The SSL server uses the certificate to prove its identity to clients when setting up the SSL session.
Note The SSL Services Module supports only general-purpose keys.
When you generate general-purpose keys, only one pair of RSA keys is generated. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate. We recommend that you specify a name for the key pairs.
When you generate RSA keys, you are prompted to enter a modulus length in bits. The SSL Services Module supports modulus lengths of 512, 768, 1024, 1536, and 2048 bits. Although you can specify 512 or 768, we recommend a minimum modulus length of 1024. A longer modulus takes longer to generate and takes longer to use, but it offers stronger security.
Viewing Key Pairs
The Key Pairs page shows all key pairs configured on a Trustpoint.
To view all Key Pairs:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane.
Step 2 Select Trustpoints > Key Pairs from the object selector.
The following information is displayed for Key Pairs:
Field
|
Description
|
Name
|
Name associated with the Key pair.
|
Key Size
|
Size of the keys in bits.
Choose the size of the key modulus from the list. Supported key sizes are:
•512
•768
•1024
•1536
•2048
|
Usage
|
The purpose of the key. Only general purpose keys are supported by the SSLSM.
|
Generation / Import Time
|
The time when the key pair was generated or imported to the SSLSM.
|
Exportable
|
Check box indicating if the key pair can be exported.
You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.
|
Select a key pair to view details. The following details are displayed at the lower part of the content window:
Key Pair Details
Field
|
Description
|
General
|
Key Pair Name
|
Name associated with the Key pair
|
Key Size (bits)
|
Size of the keys in bits.
|
Usage
|
The purpose of the key. Only general purpose keys are generated by the SSLSM.
|
Generation/Import Time
|
The time when the key pair was generated or imported to the SSLSM.
|
Exportable
|
Check box indicating if the key pair can be exported or not.
You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.
|
Associated Trustpoints
|
Trustpoint Name
|
The names of the Trustpoints to which the key pair is associated.
|
Subject Name
|
Subject name of the certificate using the key.
|
Public Key
|
The hexadecimal value of the public key.
|
Click Add to add a new key pair.
Select a key pair from the table, then click Delete to delete a key pair.
Click Import to launch the Key Pair Import Wizard.
Click Export to launch the Key Pair Export Wizard.
Adding Key Pairs
Step 1 Click Setup at the top of the window, click PKI in the left-most pane.
Step 2 Select Trustpoints > Key Pairs from the object selector.
Step 3 Click Add. Add New Key Pair dialog box appears.
Step 4 Modify the appropriate values.
Field
|
Description
|
Key Pair Name
|
Name associated with the Key pair.
|
Usage
|
The purpose of the key.
|
Key Size (bits)
|
Size of the keys in bits
Choose the size of the key modulus from the list. Supported key sizes are:
•512
•768
•1024
•1536
•2048.
|
Exportable
|
Checkbox indicating if the key pair can be exported.
You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.
|
Deleting Key Pairs
You can delete key pairs. Deleting a key pair will delete all Certificates issued using the selected keys.
To delete key pairs:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane. elect Trustpoints > Key Pairs from the object selector.
Step 2 Click Delete. Key Pair Deletion confirmation box appears.
Step 3 Click Yes to delete the key pair.
Key Pair Wizard
You can import and export key pairs in privacy-enhanced mail (PEM) file format. The Key Pair Wizard allows you to import and export key pairs.
• Key Pair Import Wizard
• Key Pair Export Wizard
Key Pair Import Wizard
The Key Pair wizard allows you to import RSA Key pairs in PEM format to SSLM.
To import a Key Pair:
Step 1 Specify Key Pair Name and Source.
Step 2 Specify Public and Private Keys.
Step 3 Click Finish.
Specify Key Pair Name and Source
This page of the key pair import wizard allows you to enter key pair name and the source from where the key pair has to be imported.
The following fields are displayed:
Field
|
Action/Description
|
Key Pair Name`
|
The name of the key pair.
|
Allow Key Pair Export
|
Select the check box if you want to allow key pair export.
You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.
|
Local Hard Disk
|
Select this if you are importing key pair from a local hard disk.
|
Copy and Paste
|
Select this if you are using copy and paste to import the key pairs.
|
Remote System
|
Select this if you are importing from a remote system.
|
Public and Private Keys (Local Hard Disk)
If you select Local Hard Disk, the following fields appear:
Field
|
Description
|
Public Key File
|
The public key file you need to export. Enter the absolute path or browse and select the file from the local hard disk.
|
Private Key File
|
The private key file you need to export. Enter the absolute path or browse and select the file from the local hard disk.
|
Passphrase
|
The passphrase to be used to encrypt the key.
|
Public and Private Keys (Copy-and-Paste)
If you select Copy-and-Paste, the following fields appear:
Field
|
Description
|
Public Key
|
Copy-and-paste the public key here.
|
Passphrase
|
The passphrase that is used to protect the private key.
The passphrase can be any phrase including spaces and punctuation except for question mark (?). Passphrase protection associates a pass phrase to the key. The passphrase is used to encrypt the key when it is exported. When the key is imported, you must enter the same pass phrase to decrypt it.
|
Private Key
|
Copy-and-paste the private key.
|
Public and Private Keys (Remote System)
If you select Remote System, the following fields appear:
Field
|
Description
|
Protocol
|
The protocol to used for the transfer.
|
IP Address
|
The IP address of the Remote System.
|
User Name
|
The user name.
|
Password
|
Password
|
Public Key File Name
|
The absolute path of the public key file.
|
Private Key File Name
|
The absolute path of the public key file.
|
Passphrase
|
The passphrase that is used to protect the private key.
The passphrase can be any phrase including spaces and punctuation except for question mark (?). Passphrase protection associates a pass phrase to the key. The passphrase is used to encrypt the key when it is exported. When the key is imported, you must enter the same pass phrase to decrypt it.
|
Key Pair Export Wizard
The Key Pair Export Wizard allows you to export an RSA key pair in PEM format.
You can export key pairs to a local hard disk or a remote system. Alternatively you can copy-and-paste the key pair values.
To export key pairs:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Key Pairs from the object selector.
Step 2 Select a Key Pair from the table.
Step 3 Click Export. The Export Key Pair dialog box appears.
Step 4 Select a Destination type.
Step 5 Specify destination file names and encryption parameters. Fields in the dialog box varies according to the destination type you select.
Step 6 Click Finish to complete exporting.
Key Pair Destination
The Key Pair Destination page of the wizard allows you to select the key pair destination.
You can select any one of the destination types:
•Local Hard Disk—to export the keys to a client workstation.
•Copy-and-Paste—to copy-and-paste the public and private keys.
•Remote System—to export the keys to a remote system using TFTP, FTP, SCP, or RCP.
If you have selected Local Hard disk, next step is to specify Destination Files and Encryption Parameters (Local Hard Disk).
If you have selected Copy-and-paste, next step is to specify Encryption Parameters (Copy-and-paste).
If you have selected Remote System, next step is to specify Destination Files and Encryption Parameters (Remote System).
Destination Files and Encryption Parameters (Local Hard Disk)
The Destination Files and Encryption Parameters page of the wizards allows you to enter the destination files names of the public and private key on the client station, and encryption parameters.
If you select Local Hard Disk the following fields appear:
Field
|
Description
|
Public Key File
|
The public key file you need to export. Enter the absolute path or browse and select the file from the local hard disk.
|
Private Key File
|
The private key file you need to export. Enter the absolute path or browse and select the file from the local hard disk.
|
Encryption
|
The encryption to used for the key pair.
The following encryption algorithms are supported:
•des—Specifies the 56-bit DES-CBC encryption algorithm.
•3des—Specifies the 168-bit DES (3DES) encryption algorithm.
|
Passphrase
|
The passphrase that is used to protect the private key.
The passphrase can be any phrase including spaces and punctuation except for question mark (?). Passphrase protection associates a pass phrase to the key. The passphrase is used to encrypt the key when it is exported. When the key is imported, you must enter the same pass phrase to decrypt it.
|
Confirm Passphrase
|
Confirm the passpharse to decrypt the key pair.
|
Enter the details, then click Next.
Encryption Parameters (Copy-and-paste)
You can enter the encryption type and pass phrase to protect the private key.
The following fields appear:
Field
|
Description
|
Encryption
|
Encryption used by the key pair.
The following encryption algorithms are supported:
•des—Specifies the 56-bit DES-CBC encryption algorithm.
•3des—Specifies the 168-bit DES (3DES) encryption algorithm.
|
Passphrase
|
The passphrase that is used to protect the private key.
The passphrase can be any phrase including spaces and punctuation except for question mark (?). Passphrase protection associates a pass phrase to the key. The passphrase is used to encrypt the key when it is exported. When the key is imported, you must enter the same pass phrase to decrypt it.
|
Confirm Passphrase
|
Confirm the passphrase to decrypt the key pair.
|
Destination Files and Encryption Parameters (Remote System)
The Destination Files and Encryption Parameters page of the wizards allows you to enter the destination files names of the public and private key on the client station, and encryption parameters.
If you select Remote System, the following fields appear:
Field
|
Description
|
Protocol
|
The protocol to used for the transfer.
|
IP Address
|
The IP address of the remote system.
|
User Name
|
The user name.
|
Password
|
Password to be used for the remote system.
|
Public Key File
|
The absolute path of the public key file.
|
Private Key File
|
The absolute path of the public key file.
|
Encryption
|
Encryption used by the key pair.
The following encryption algorithms are supported:
•des—Specifies the 56-bit DES-CBC encryption algorithm.
•3des—Specifies the 168-bit DES (3DES) encryption algorithm.
|
Passphrase
|
The passphrase that is used to protect the private key.
The passphrase can be any phrase including spaces and punctuation except for question mark (?). Passphrase protection associates a pass phrase to the key. The passphrase is used to encrypt the key when it is exported. When the key is imported, you must enter the same pass phrase to decrypt it.
|
Confirm Passphrase
|
Confirm the passphrase to used for decrypting the key pair.
|
Key Pair Wizard Summary
When you use a wizard to perform a configuration, the wizard's Summary screen displays the values that you have configured. You can examine those values and click the wizard's Back button to return to a screen on which you need to make a change. When you have made the changes, click the Finish button to save your changes and leave the wizard.
Key Pair Wizard Status
The Key Pair Wizard Status dialog box provides the status details of the Trustpoint configuration tasks. The details displayed vary according to the task you selected. The dialog box displays the status against each task.
The configuration performed on the module is displayed in the content area. If any task fails, you can review the task details and take necessary action.
How Do I...
The How do I section explains how to accomplish a task using the CVDM.
The following tasks are explained:
• How Do I Add a New Key Pair?
• How Do I Import a Key Pair?
How Do I Add a New Key Pair?
To add a new key pair:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane.
Step 2 Select Trustpoints > Key Pairs from the object selector.
Step 3 Click Add. Add New Key Pair dialog box appears.
Step 4 Modify the appropriate values in the page, the click OK.
How Do I Import a Key Pair?
You can use the key pair import wizard to import a key pair. The Key Pair wizard allows you to import RSA Key pairs in PKCS12 or PEM format to SSLM.
To import a key pair:
Step 1 Launch the Key Pair Import Wizard.
Step 2 Enter key pair name and the source from where the key pair has to be imported.
Step 3 Enter the public and private key information.
