| Author |
Message
|
| George Carey |
 Posted: Mon Jul 23, 2012 2:19 pm Post subject: sharedcert: directory |
 |
|
Knight
Joined: 29 Jan 2007
Posts: 500
Location: DC
|
Simple straight forward question:
Can the certs in the 'sharedcert:' directory on the XI50 device be copied off to external device for backup or other purposes??
That is it! If so, how?
Hoping for a better response than to my last question posed.
GTC
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding") |
|
| Back to top |
|
 |
| rekarm01 |
| Posted: Wed Jul 25, 2012 1:13 am Post subject: Re: sharedcert: directory |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| George Carey wrote: |
| Can the certs in the 'sharedcert:' directory on the XI50 device be copied off to external device for backup or other purposes?? |
Yes. |
|
| Back to top |
|
|
| George Carey |
| Posted: Wed Jul 25, 2012 1:13 pm Post subject: really! |
|
|
Knight
Joined: 29 Jan 2007
Posts: 500
Location: DC
|
I wish it were so!
IBM support says one cannot!
If you say one can then can you describe how?
GTC
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding") |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jul 25, 2012 1:26 pm Post subject: Re: really! |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| George Carey wrote: |
I wish it were so!
IBM support says one cannot!
If you say one can then can you describe how?
GTC |
His "yes" was a link...
| Quote: |
Exporting keys and certificates
Use the Export Crypto Objects tab of the Crypto Tools screen to export key and certificate objects. |
|
|
| Back to top |
|
|
| George Carey |
| Posted: Wed Jul 25, 2012 3:30 pm Post subject: HSM |
|
|
Knight
Joined: 29 Jan 2007
Posts: 500
Location: DC
|
Missed the link, link.
Ok, from that doco:
| Quote: |
| On the source appliance, |the appliance from which the private key is copied, you can export |keys. You can export private keys on only HSM-equipped DataPower® appliances. Private keys exported from Type 9235 appliances cannot |be imported on to a Type 7199 appliance. Likewise, private keys exported |from Type 7199 appliances cannot be imported on to a Type 9235 appliance. |
If I exported keys with a 9235 (can only do it once!) would one not expect to be able to import it onto another 9235 subsequently. How?!
Also docu says that you can only export privates key if you have an HSM device ... so if one can export these keys one would assume one has an HSM. Unless exporting is different from the one time externalizing of the key set, namely priv key, ss-priv key, and csr into the temporary directory.
These externalized files are text files saying 'Begin Private Key ... End Private key' and 'Begin Certificate... End Certificate', Certificate works fine but the private keys gives a 'format is not known' error!' Can it be converted to a known format to be used(e.g. pem, der, etc.)??? That is the question/issue!
P.S. the certs were initially CSRs and converted by CA to Certs.
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding") |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Thu Jul 26, 2012 2:02 am Post subject: Re: HSM |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
Maybe it's not so simple and straightforward a question. How to export public certificates and how to export private keys are two different questions.
DataPower offers the option to export keys, CSRs, and certificates, when generating them, and HSM-equipped appliances also offer the option to mark private keys exportable at a later time, as explained here. Any files are exported to the temporary directory, and will not survive the next reboot.
For HSM-equipped appliances, DataPower can later export Crypto Key objects, which contain a private key (encrypted with an HSM key-wrapping-key), and import them to a similar HSM-equipped appliance, as explained here.
Any DataPower appliance can later export Crypto Certificate objects, which contain a public certificate, and import them to any other appliance. The exported file should look something like:
| Code: |
<?xml version="1.0" encoding="utf-8"?>
<crypto-export version="1">
<certificate version="1">MIIFqT ... WZSA==</certificate>
</crypto-export> |
The contents of the <certificate> element is a Base64-encoded DER certificate, and can also be copy-pasted directly into a file, for backup or other purposes.
| George Carey wrote: |
| These externalized files are text files saying 'Begin Private Key ... End Private key' and 'Begin Certificate... End Certificate', Certificate works fine but the private keys gives a 'format is not known' error!' |
Private keys are not directly viewable. They need to be accessed through a Crypto Key object, which needs to provide the password used to encrypt the private key.
| George Carey wrote: |
| P.S. the certs were initially CSRs and converted by CA to Certs. |
All certificates were initially CSRs, (except for self-signed certificates). |
|
| Back to top |
|
|
| George Carey |
| Posted: Thu Jul 26, 2012 9:13 am Post subject: Terms |
|
|
Knight
Joined: 29 Jan 2007
Posts: 500
Location: DC
|
Different understanding of terms/definitions is the root of all confusion.
The typical understanding one(I at least) has for key is the following
along with other terms and definitions for PKI infrastructures objects I have.
A Key=(private key) the public never should see it
public key=(asymetric key counter part to the private key)
Keys=(public or private) in useage KEY typically means private-key
CSR=(public key + other ID info)
Cert=(CSR) signed by a CA
SSCert=(CSR) signed by self
Certs=(public keys) signed by self or a CA
Signed=(encrypting an object or part of an object by a private key)
HSM or not if the Crypto Tools screen gives the options to:
Export Private Key on or off and one selects on and the files created are:
myname.privkey.pem, myname.sscert.pem, myname.csr.pem and they are all
base64 Hex coded text files that can be cut and pasted to an external text
file, then one would think this externalized private key could be used subsequently on another 9235 if it came from a 9235. Just as the Certs can be. Otherwise what is the point of allowing the key(private-key) to be externalized??
GTC
P.S. Thanks for your feedback, also I have read your linked sections but my question remains.
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding") |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 26, 2012 9:36 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I don't think it's a confusion of terms, I think it's a confusion of intent.
What are you intending to do with this "key" after you have exported it?
Use it as the full and primary identify of some entity other than the DP box that you exported it from ?
Then you need the private key, and the password to the private key stash. And you should rigourously control how and by whome the files exported are moved, transported, stored, and handled.
Use it to assert and validate the identity of the DP box you exported it from?
Then you only need the public cert. |
|
| Back to top |
|
|
| George Carey |
| Posted: Thu Jul 26, 2012 11:53 am Post subject: A key backup |
|
|
Knight
Joined: 29 Jan 2007
Posts: 500
Location: DC
|
Basic reasons.
1.) To reuse on same DP box if is was inadvertently deleted - just put it back on from your external location. Which is not a formal keystore. Just a backup location.
2.) So not to have to pay for multiple Certs. If all your DPs perform the same task like a digital signature and one does not need a Cert for each DP but just one for the site. Only need to pay for one not N. Can put the same Key pairs on all DPS.
Can't do either if you can't bring the Private Key back to a DP box and use as a private key.
Again, why is the 'Export private key on off' option there ?
Looking for answer to straight forward question again. Can the externalized private key (the Base64 Hex text file) be used as a private key or not on a DataPower (same or others)?
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding") |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jul 26, 2012 12:04 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I believe the whole point of the story here is that you would not want to move a private key by itself, but you would want to move the keystore (/kryptoobject) containing the private key and the corresponding signed cert.... Now that may lead to the need of a format translation like say from jks to pkcs12 etc... Should be possible with krypto tools or open ssl.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| George Carey |
| Posted: Thu Jul 26, 2012 4:26 pm Post subject: seems to work |
|
|
Knight
Joined: 29 Jan 2007
Posts: 500
Location: DC
|
It may be a matter of getting the encryption password for private key.
I have tried several cases using a private key and sscert from a DataPower Crypto Tool key generation screen. The Crypto Identification Credentials built from the generated Key(private-key) and corresponding Cert(sscert) work just fine. Copying them off two different ways, opening on DP and cut and pasting to external disk file and doing a right-click on filename and then doing a save-target as also works just fine.
By which I mean when copying them back and creating a new Crypto Id-Cred they work fine, no barking about the 'key format is not known' or 'Key password may not be correct' error. It looks like a proper 'password' may be the issue ...(s@#&?t).
My next question likely to be ... can the private key be exported more then once if one has an HSM? This may not help either. Will be doing some reading.
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding") |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Thu Jul 26, 2012 5:06 pm Post subject: Re: Terms |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| George Carey wrote: |
... if the Crypto Tools [Generate Key] screen gives the options to:
Export Private Key on or off and one selects on and the files created are:
myname.privkey.pem, myname.sscert.pem, myname.csr.pem and they are all base64 Hex coded text files ... |
Yes, any other DataPower appliance can import the exported myname.privkey.pem file, as-is, and use it as a private key. But if a Crypto Key object wrapper fails to use the correct password to decrypt the imported private key, then it would encounter a "File is not in a known format" error. |
|
| Back to top |
|
|
| George Carey |
| Posted: Fri Jul 27, 2012 8:50 am Post subject: Issue Fixed |
|
|
Knight
Joined: 29 Jan 2007
Posts: 500
Location: DC
|
Yup, got the correct password and all is working.
Thanks for the feedback all.
GTC
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding") |
|
| Back to top |
|
|
|
|
