apps keystore
Use the apps keystore command to download and assign RSA keys and key pairs. If certificates are in the keystore, no re-signing is needed. The keystore can contain a maximum of 4000 keys.
Inline SSL decryption requires a key pair, which includes both private and public keys (leaf certificate and CA certificate chain).
Passive SSL decryption and Hardware Security Module (HSM) require only the private key.
The apps keystore command has the following syntax:
apps keystore
rsa | ecdsa <key alias>
certificate <download url <download URL> | key-str <key string>>
comment <comment>
pkcs12 <download url <download URL> [password <password>]>
private-key <download url <download URL> | key-str <key string>> [password <PEM password> | type hsm]
self-signed
common-name <CN>
country <C>
hash-type <SHA-1 | SHA-256 | SHA-384 | SHA-512>
keysize <1024 | 2048 | 4096>
org-name <O>
org-unit <OU>
state <S>
valid <number of days>
The following table describes the arguments for the apps keystore command:
Argument |
Description |
||||||||||||||||||||||||
rsa | ecdsa <key alias> |
Specifies the following key alias:
|
||||||||||||||||||||||||
certificate <download url <download URL> | key-str <key string>> |
Downloads a certificate or cuts and pastes a certificate. Use this command to configure the Man-in-the-Middle (MitM) primary CA or optional secondary CA as follows:
The download URL specifies an SSL certificate. The supported formats for download are HTTP, FTP, SCP, and SFTP. For example, to download a certificate: (config) # apps keystore rsa issl1-primary-ca certificate download url http://1.1.1.2/mitm/primary_ca.cert (config) # apps keystore rsa issl1-secondary-ca certificate download url http://1.1.1.2/mitm/secondary_ca.cert For example, to cut and paste a certificate, specify the private key string in PEM format: (config) # apps keystore rsa key1 certificate key-str "-----BEGIN RSA PRIVATE KEY----- ...-----END RSA PRIVATE KEY-----" To bind the certificate to the primary CA: (config) # apps inline-ssl signing for primary key <key alias> Refer to apps inline-ssl. |
||||||||||||||||||||||||
comment <comment> |
Adds a comment to an RSA keystore key pair. Comments can be up to 128 characters. Comments longer than one word must be enclosed in double quotation marks. For example: (config) # apps keystore rsa key1 comment “This is a comment” |
||||||||||||||||||||||||
pkcs12 <download url <download URL> [password <password>]> |
Downloads a PKCS12 file containing the private key and the certificate as follows:
The download URL specifies a PKCS12 container. The supported formats for download are HTTP, FTP, SCP, and SFTP. For example: (config) # apps keystore rsa key2 pkcs12 download
(config) # apps keystore ecdsa key2 pkcs12 download
Refer to Supported Algorithms for details on the compatible algorithms to download a PKCS12 file. |
||||||||||||||||||||||||
private-key <download url <download URL> | key-str <key string>> [password <PEM password> | type hsm] |
Downloads a private key or cuts and pastes a private key. Use this command to configure the MitM primary CA or optional secondary CA as follows:
The download URL specifies an SSL private key. The supported formats for download are HTTP, FTP, TFTP, SCP, and SFTP. For example, to download a private key: (config) # apps keystore rsa issl1-primary-ca private-key download url http://1.1.1.1/mitm/primary_ca.key (config) # apps keystore rsa issl1-secondary-ca private-key download url http://1.1.1.2/mitm/secondary_ca.key (config) # apps keystore ecdsa issl1-primary-ca private-key download url http://1.1.1.1/mitm/primary_ca.key (config) # apps keystore ecdsa issl1-secondary-ca private-key download url http://1.1.1.2/mitm/secondary_ca.key For example, to cut and paste a private key, specify the key string in PEM format: (config) # apps keystore rsa key1 private-key key-str "-----text-----" (config) # apps keystore ecdsa key1 private-key key-str "-----text-----" To bind the private key to the primary CA: (config) # apps inline-ssl signing for primary key <key alias> For example, to download an encrypted private key when the password is specified on the command line: (config) # apps keystore rsa K4 private-key download url http://dominos.gigamon.com/~ama/misc/encrypted_pkey.pem password admin1100.0% [######################################## For example, to download an encrypted private key when the password is not specified on the command line, you will be prompted for the passphrase as follows: (config) # apps keystore rsa K4 private-key download url http://dominos.gigamon.com/~ama/misc/encrypted_pkey.pem100.0% [########################################PEM Passphrase: ********** Refer to apps inline-ssl. For example, to configure keys residing on HSM: (config) # apps keystore rsa mykey private-key download url http://10.115.0.100/tftpboot/myname/hsm/key_pkcs11_ua88af6e573c9c6c39b245a15edfc3ebcbebbdae4f type hsm Refer to apps hsm. |
||||||||||||||||||||||||
self-signed |
Generates a self-signed certificate and key (key pair) as follows:
The common-name and org-name are mandatory. The generated key and certificate will be stored as an entry in the keystore. The key can be imported into a primary or secondary signing key for SSL Decryption for inline tools. For example: (config) # apps keystore rsa internal-ca1 self-signed common-name internal_ca1.com country US state CA org-name GIMO org-unit ENG keysize 2048 hash-type SHA-256 valid 100
(config) # apps keystore ecdsa internal-ca1 self-signed common-name internal_ca1.com country US state CA org-name GIMO org-unit ENG keysize 2048 hash-type SHA-256 valid 100 To bind the key to use with the primary or secondary signing key: (config) # apps inline-ssl signing rsa for primary key <key alias> Refer to apps inline-ssl. |
Related Commands
The following table summarizes other commands related to the apps keystore command:
Task |
Command |
Displays a certificate for a specified SSL key. |
# show apps keystore alias primary certificate |
Displays a summary for a specified SSL key. |
# show apps keystore alias primary summary |
Displays all SSL keys. |
# show apps keystore all |
Deletes specified ecdsa keys from the keystore |
(config) # no apps keystore ecdsa aliasprimary |
Deletes all ecdsa keys from the keystore |
(config) # no apps keystore ecdsa all |
Deletes a specified SSL key. |
(config) # no apps keystore rsa aliasprimary |
Deletes all SSL keys. |
(config) # no apps keystore rsa all |
Supported Algorithms
The following algorithms are supported when downloading a PKCS12 file containing the private key and the certificate:
-
PBE-SHA1-RC4-128
-
PBE-SHA1-RC4-40
-
PBE-SHA1-3DES
-
PBE-SHA1-2DES
-
PBE-SHA1-RC2-128
-
PBE-SHA1-RC2-40