The RSA key pair is stored in a file on the CF.
Generate an RSA key pair
To generate an RSA key pair, use the admin certificate gen-keypair command:
admin certificate gen-keypair local-url [type rsa] size 1024
For example:
admin certificate gen-keypair cf1:\myDir\myRsaKeyPair type rsa size 1024
This generates a Distinguished Encoding Rules (DER) formatted file.
Import an online or offline generated RSA key pair
To import a generated RSA key pair, use the admin certificate secure-nd-import command:
admin certificate secure-nd-import local-url format {der | pem | pkcs12} [password <password>] [key-rollover]
For example:
admin certificate secure-nd-import cf1:\myDir\myRsaKeyPair format der
Because SeND only uses RSA key pairs, the command is refused if the imported key type is not RSA.
Because SeND only supports key size 1024, the command is refused if the imported key size is not 1024.
The password has to be specified when an offline generated file in pkcs12 format has to be imported.
key-rollover keyword: see the RSA key pair rollover mechanism section that follows.
This command creates the file cfx:\system-pki\secureNdKey (fixed directory and filename) and saves the imported key in that file in encrypted per format (same as the admin certificate import command).
The RSA key pair is uploaded in the memory of SeND.
RSA key pair rollover mechanism
To trigger a key rollover, use the admin certificate secure-nd-import command described in Import an online/offline generated RSA key pair section.
For example:
admin certificate secure-nd-import cf1:\myDir\myOtherRsaKeyPair format der key-
rollover
If CGAs exist that are generated based on an auto-generated or previously imported RSA key pair and the key-rollover keyword is not specified, the secure-nd-import command is refused.
If a secure-nd-import with key-rollover is requested while a previous key rollover is still being handled, the new command is refused.
If the secure-nd-import command is accepted, the imported RSA key pair is written to the file cfx:\system-pki\secureNdKey and loaded to SeND. Existing CGAs, if any, are regenerated.
While handling a key rollover, SeND keeps track of which interface uses which RSA key pair. Temporarily, SeND can have two RSA key pairs in use. At all times, only the latest RSA key pair is stored in the file cfx:\system-pki\secureNdKey. When the rollover is finished, the RSA key pair that is no longer referred to, is deleted from SeND’s memory.
Auto-generation of RSA key pair
The first time an interface becomes SeND enabled, SeND needs an RSA key pair to generate or check a modifier and to generate a CGA.
If the operator did not import an RSA key pair for SeND, an auto-generated RSA key pair are used as a fallback.
The auto-generated RSA key pair is synchronized to the standby CPM, but is not written to the CF. Therefore, all CGAs generated via an auto-generated RSA key pair are not persistent. A warning is raised whenever a non-persistent CGA is generated.
The admin certificate secure-nd-import command without the key-rollover keyword is refused if CGAs exist that made use of the auto-generated RSA key pair. Specifying the key-rollover keyword results in regeneration of the CGAs.
See the section Making non-persistent CGAs persistent for more information about the procedure to make non-persistent CGAs persistent.
HA
For the synchronization of the RSA key pair file in cfx:\system-pki\ used by SeND, the following commands for manual and automatic certificate synchronization are used:
manual: admin redundancy synchronize cert
automatic: configure redundancy cert-sync
SeND also synchronizes the RSA key pair to the standby CPM.