apps keystore

Use the apps keystore command to download and assign RSA keys and key pairs. If certificates are in the keystore, no re-signing is needed. The keystore can contain a maximum of 4000 keys.

Inline SSL decryption requires a key pair, which includes both private and public keys (leaf certificate and CA certificate chain).

Passive SSL decryption and Hardware Security Module (HSM) require only the private key.

The apps keystore command has the following syntax:

apps keystore
   rsa | ecdsa <key alias>
   certificate <download url <download URL> | key-str <key string>>
   comment <comment>
   pkcs12 <download url <download URL> [password <password>]>
   private-key <download url <download URL> | key-str <key string>> [password <PEM password> | type hsm]
   self-signed
      common-name <CN>
      country <C>
      hash-type <SHA-1 | SHA-256 | SHA-384 | SHA-512>
      keysize <1024 | 2048 | 4096>
      org-name <O>
      org-unit <OU>
      state <S>
      valid <number of days>

The following table describes the arguments for the apps keystore command:

Argument

Description

rsa | ecdsa <key alias>

Specifies the following key alias:

RSA
ECDSA

certificate <download url <download URL> | key-str <key string>>

Downloads a certificate or cuts and pastes a certificate. Use this command to configure the Man-in-the-Middle (MitM) primary CA or optional secondary CA as follows:

url—Specifies the download URL for the certificate PEM file.
key-str—Specifies the SSL key PEM file by providing a key string for a certificate. Enclose the key string in double quotation marks.

The download URL specifies an SSL certificate. The supported formats for download are HTTP, FTP, SCP, and SFTP.

For example, to download a certificate:

(config) # apps keystore rsa issl1-primary-ca certificate download url http://1.1.1.2/mitm/primary_ca.cert

(config) # apps keystore rsa issl1-secondary-ca certificate download url http://1.1.1.2/mitm/secondary_ca.cert

For example, to cut and paste a certificate, specify the private key string in PEM format:

(config) # apps keystore rsa key1 certificate key-str "-----BEGIN RSA PRIVATE KEY----- ...-----END RSA PRIVATE KEY-----"

To bind the certificate to the primary CA:

(config) # apps inline-ssl signing for primary key <key alias>

Refer to apps inline-ssl.

comment <comment>

Adds a comment to an RSA keystore key pair. Comments can be up to 128 characters. Comments longer than one word must be enclosed in double quotation marks. For example:

(config) # apps keystore rsa key1 comment “This is a comment”

pkcs12 <download url <download URL> [password <password>]>

Downloads a PKCS12 file containing the private key and the certificate as follows:

url—Specifies the download URL for PKCS12, pfx file.
password—Specifies an optional password for PKCS12. If a password is not specified after the password keyword, you will be prompted for it.

The download URL specifies a PKCS12 container. The supported formats for download are HTTP, FTP, SCP, and SFTP.

For example:

(config) # apps keystore rsa key2 pkcs12 download
url sftp://test:mytest@10.10.10.10/home/test/ssldecrypt/keys/srv1k.pfx

(config) # apps keystore ecdsa key2 pkcs12 download
url sftp://test:mytest@10.10.10.10/home/test/ssldecrypt/keys/srv1k.pfx

Refer to Supported Algorithms for details on the compatible algorithms to download a PKCS12 file.

private-key <download url <download URL> | key-str <key string>> [password <PEM password> | type hsm]

Downloads a private key or cuts and pastes a private key. Use this command to configure the MitM primary CA or optional secondary CA as follows:

url—Specifies the download URL for the private key PEM file.
key-str—Specifies the SSL key PEM file by providing a key string for a private key. Enclose the key string in double quotation marks.
password—Specifies a password for the PEM private key if it is encrypted. Otherwise, the PEM private key needs to be decrypted.
type—Specifies the key type for keys residing on HSM. The only value is hsm.

The download URL specifies an SSL private key. The supported formats for download are HTTP, FTP, TFTP, SCP, and SFTP.

For example, to download a private key:

(config) # apps keystore rsa issl1-primary-ca private-key download url http://1.1.1.1/mitm/primary_ca.key

(config) # apps keystore rsa issl1-secondary-ca private-key download url http://1.1.1.2/mitm/secondary_ca.key

(config) # apps keystore ecdsa issl1-primary-ca private-key download url http://1.1.1.1/mitm/primary_ca.key

(config) # apps keystore ecdsa issl1-secondary-ca private-key download url http://1.1.1.2/mitm/secondary_ca.key

For example, to cut and paste a private key, specify the key string in PEM format:

(config) # apps keystore rsa key1 private-key key-str "-----text-----"

(config) # apps keystore ecdsa key1 private-key key-str "-----text-----"

To bind the private key to the primary CA:

(config) # apps inline-ssl signing for primary key <key alias>

For example, to download an encrypted private key when the password is specified on the command line:

(config) # apps keystore rsa K4 private-key download url http://dominos.gigamon.com/~ama/misc/encrypted_pkey.pem password admin1100.0% [########################################

For example, to download an encrypted private key when the password is not specified on the command line, you will be prompted for the passphrase as follows:

(config) # apps keystore rsa K4 private-key download url http://dominos.gigamon.com/~ama/misc/encrypted_pkey.pem100.0% [########################################PEM Passphrase: **********

Refer to apps inline-ssl.

For example, to configure keys residing on HSM:

(config) # apps keystore rsa mykey private-key download url http://10.115.0.100/tftpboot/myname/hsm/key_pkcs11_ua88af6e573c9c6c39b245a15edfc3ebcbebbdae4f type hsm

Refer to apps hsm.

self-signed
   common-name <CN>
   country <C>
   hash-type <SHA-1 | SHA-256 |       SHA-384 | SHA-512>
   keysize <1024 | 2048 | 4096>
   org-name <O>
   org-unit <OU>
   state <S>
   valid <number of days>

Generates a self-signed certificate and key (key pair) as follows:

common-name <CN>—Specifies the common name for the certificate.
country <C>—Specifies the country name for the certificate.
hash-type—Specifies the type of hashing for the certificate. The values are: SHA-1, SHA-256, SHA-384, and SHA-512.
key-size—Specifies the key size for the certificate. The values are 1024, 2048, and 4096.
org-name <O>—Specifies the organization name for the certificate.
org-unit <OU>—Specifies the organizational unit name for the certificate.
state <S>—Specifies the state for the certificate.
valid—Specifies the number of days for which the certificate is valid. The range is from 1 to 2000 days.

The common-name and org-name are mandatory.

The generated key and certificate will be stored as an entry in the keystore. The key can be imported into a primary or secondary signing key for SSL Decryption for inline tools.

For example:

(config) # apps keystore rsa internal-ca1 self-signed common-name internal_ca1.com country US state CA org-name GIMO org-unit ENG keysize 2048 hash-type SHA-256 valid 100

 

(config) # apps keystore ecdsa internal-ca1 self-signed common-name internal_ca1.com country US state CA org-name GIMO org-unit ENG keysize 2048 hash-type SHA-256 valid 100

To bind the key to use with the primary or secondary signing key:

(config) # apps inline-ssl signing rsa for primary key <key alias>

Refer to apps inline-ssl.

Related Commands

The following table summarizes other commands related to the apps keystore command:

Task

Command

Displays a certificate for a specified SSL key.

# show apps keystore alias primary certificate

Displays a summary for a specified SSL key.

# show apps keystore alias primary summary

Displays all SSL keys.

# show apps keystore all

Deletes specified ecdsa keys from the keystore

(config) # no apps keystore ecdsa aliasprimary

Deletes all ecdsa keys from the keystore

(config) # no apps keystore ecdsa all

Deletes a specified SSL key.

(config) # no apps keystore rsa aliasprimary

Deletes all SSL keys.

(config) # no apps keystore rsa all

Supported Algorithms

The following algorithms are supported when downloading a PKCS12 file containing the private key and the certificate:

  • PBE-SHA1-RC4-128

  • PBE-SHA1-RC4-40

  • PBE-SHA1-3DES

  • PBE-SHA1-2DES

  • PBE-SHA1-RC2-128

  • PBE-SHA1-RC2-40