KeyServer PK Provision

KeyServer Private Key Provision Process

This page shows how to storage private keys inside KeyServer database.

Previous Steps

You need the certificate fingerprint SHA1 and the private key with the correct format.

1. Get the certificate fingerprint following this tutorial.
2. Change certificate private key format with this steps.
3. Copy the private key file in an accessible place and use the KeyServer for provisioning.

Provision

Follow this steps:

1. Select the 'Private Key Provison' option:

                       - KeyServer Options -
                       ---------------------
   

Option Description

---

H      Shows help menu options.
I      Shows KeyServer status and details.
S      Jetty HTTPs connection statistics.

P      Provision: Insert a new private key inside KeyServer database.
D      Delete: Remove a private key from the KeyServer database.
F      Find: Search a specific SHA1 register on KeyServer database.
L      List: Shows all registers inside KeyServer database.

Q      Close KeyServer tool.

Write the option key and Enter to execute.

p ```

2. Put the certificate fingerprint value. On this example, this fingerprint will be 0123456789ABCDEF0123456789ABCDEF01234567:

                 - Private Key Provision Manager -
                 ---------------------------------
   
   

Action : Insert Private Key to database.

Description

Insert a new private key to KeyServer database. This command use the certificate SHA1 and the certificate full qualified name to load and storage the register.

Note: If you write Q and press ENTER, the private key provision will be cancelled.

---

WARNING: Your private key should be in PCKS8 format. If not, please use this command to export it previously using OpenSSL (replace INPUT.key and OUTPUT.key with your own file names):

openssl pkcs8 -topk8 -inform PEM -outform DER -in INPUT.key -nocrypt > OUTPUT.key

---

Write the certificate SHA1 and press ENTER: 0123456789ABCDEF0123456789ABCDEF01234567 3. Now, put the full qualified route to the Private Key file associated to the previous certificate fingerprint (SHA1): Write the certificate file full qualified name:

/home/USER/KeyServer/PRIVATEKEY.key ```

4. The KeyServer provision tool will ask you if want to remove the current private key after a specific date automatically. If you want save this private key at Redis database unlimitedly, write n and continue with the step number 6 from this tutorial. Otherwise, continue with the next point.

Do you want remove automatically this current private key in a specific date? (y/n): y ```

5. Enter the date and time when this private key will be unavailable:

Write the certificate expiration date. If you don't provide the date, the private key will be present inside database unlimited. You must remove it manually.

Write the date using this format (yyyy.MM.dd-HH:mm:ss): 2017.01.15-09:07:00 ```

6. If the certificate provision has been executed correctly, you receive this message: ``` [ INFO ] - The certificate has been included on database.

```

Note: For security rasons, please remove the private key file from the KeyServer:

$ rm /home/USER/KeyServer/PRIVATEKEY.key