Skip to main content

Data privacy

Data privacy

Add private keys to the Passive Capture Application (PCA)

When you export private keys from a web server, you have several options for adding the keys to the PCA. In all cases, you must begin with the key files in .pem or .pfx format.

Some methods for adding keys to the PCA convert the files to PTL format and add the converted file to the PCA. You can also convert the .pem or .pfx files to PTL and add the keys separately.

Convert PFX keys to PEM keys

You can run an Open SSL command to convert a .pfx key to a .pem key.

  1. Decrypt the file and rename it as a .pem file. Run the following command on the Passive Capture host machine: 
    openssl pkcs12 -nodes -nocerts -in key1.pfx -out key1.pem
  2. When prompted for the import password, enter the password that you used when you export the certificate to a .pfx file.

    You must receive the following message:

    MAC verified OK.
  3. Validate the resulting .pem file before attempting to convert it to PTL format.

Validate a PEM key

To convert a .pem file to PTL format, the .pem file must be valid. You can validate a .pem file with OpenSSL.

To validate the file with OpenSSL, use the following command: 

/usr/local/ctccap/bin/openssl rsa -check -noout -in <filename>

If the file is a valid .pem key, you see the following result.


-----BEGIN RSA PRIVATE KEY-----
.... (many lines of encoding here)
....
-----END RSA PRIVATE KEY-----

Convert private keys to PTL format manually

Begin with the private key as a .pem file and convert the key to PTL format. To use the converted key, you must add the PTL file to the PCA configuration separately.

Export the private key from the web server as a .pem file and copy it into the Passive Capture Application (PCA). You then use the pem2ptl command to convert the key to PTL in place.

  1. Obtain a separate .pem file for each SSL key that you want to convert.
  2. Transfer the .pem files to /usr/local/ctccap/etc on the server that hosts the PCA.
  3. Log in to the PCA server as the root user and change to directory /usr/local/ctccap/etc.
  4. Use the tealeaf pem2ptl command to generate the PTL files for each .pem file, as shown in the following examples. You can convert multiple keys at a time.
    1. To convert keys that are named server1.pem and server2.pem, run the following command: 
      
tealeaf pem2ptl server1.pem server2.pem

      The command creates files that are named server1.ptl and server2.ptl in the same directory as the .pem files.

      The command sets the ownership and permissions of the resulting PTL files to allow only the user ctccap to access the files.

      The tealeaf pem2ptl command does not create new PTL files if they already exist in the folder.

    2. If you are using an older version of the PCA that does not provide the tealeaf pem2ptl command, use the following commands for each .pem file that you want to encrypt. Replace server1.pem with the name of your .pem file: 
      
/usr/local/ctccap/bin/tltenc -in server1.pem
chmod u=rw,go= server1.ptl
chown ctccap server1.ptl

      To convert multiple files, use the ls and xargs commands to encrypt them. Enter the following command as a single line. The ls command generates a list of file names. The pipe allows the xargs command to use the list and run the tltenc utility against each file name in the list.

      
ls -1 server1.pem server2.pem server3.pem | xargs -L 1 -t \
/usr/local/ctccap/bin/tltenc -in

      After you run the previous command, use the following commands to set the ownership and permissions for all PTL files. It is safe to use wildcards because the ownership and permissions are the ones that are needed by the PCA to access any PTL file.

      
chmod u=rw,go= *.ptl
chown ctccap *.ptl
  5. Remove the .pem files from the PCA server. Confirm that Passive Capture successfully decrypts SSL connections before you permanently delete the .pem files.

After the SSL keys are loaded onto the Passive Capture host server and encrypted into PTL files, configure Passive Capture to use the PTL files. When you must configure a few PTL files, use the SSL Keys tab in the Web Console. When you configure PTL files, you can find it easier to use a text editor like nano or vi to edit the configuration file directly.

Convert private keys to PTL format automatically

The Passive Capture Application (PCA) can automatically convert .pem files to the encrypted PTL keys that the PCA requires.

Verify that any .pem file that you are converting contains the RSA private key. The .pem files must not be password-protected.

To convert one or more .pem keys to PTL keys automatically, copy each .pem file into the capturekeys directory and restart PCA capture services.

When the PCA capture service starts or restarts, the PCA converts each .pem file in the capturekeys directory to .ptl format and loads onto the PCA server.

Each .pem file remains in the capturekeys directory after the conversion. To avoid reconverting the files each time you restart the PCA, remove the .pem files from the capturekeys directory after you verify successful conversion.

Note: You can convert a maximum of 512 .pem files at a time.
  1. Copy the .pem file to the following directory: 
    /usr/local/ctccap/etc/capturekeys
  2. Restart PCA services.

    On startup, the PCA automatically converts each .pem key in the capturekeys directory to a separate .ptl key.

    For example, the PCA converts the file myprivatekey.pem to a PTL key named myprivatekey.ptl.

  3. To verify that a .ptl key was properly loaded, review the capture log file (var/log/tealeaf/capture.log). Look for a log entry similar to the following message. 
    reassd[4681]: Autoloaded key file:
/usr/local/ctccap/etc/capturekeys/myprivatekey.ptl

Upload .pem or .pfx keys with the Web Console

You can use the Web Console to upload private keys in .pem or .pfx format to the PCA. Using the Web Console enables you to enter the password for a .pfx key during the upload.

  • Password protected keys (pfx) are only converted if the correct password is provided.
  • Password protected keys are converted directly to ptl files.
  • Compressed files must be flat (no directories).
  • Compressed files can only contain pem files.

The upload puts the .pem or .pfx files in the /usr/local/ctccap/etc/capturekeys directory, where they can be converted to PTL format by restarting the PCA.

Note: To upload keys with the Web Console, you must access the console over SSL as an authenticated user. If you do not access this page through an https link, you can only view the existing PTL keys.
  1. Open the Web Console and open the SSL Keys tab.
  2. Click Capture Keys.
  3. Browse to find the file that you want to upload.
  4. If you selected file a password-protected .pfx file, enter the password in the Password field.
  5. Click Upload to convert the file to PTL format and add it to the capturekeys directory.

After the required files are uploaded, the PCA must be restarted on the Console tab.

Add PTL files to the PCA configuration manually

You can manually add .ptl files to the PCA configuration by editing the ctc-conf.xml file.

To add PTL keys manually, you must add a separate entry for each key in the CaptureKeys section of the configuration file.

Each .ptl file must be listed separately and provide a label and a complete file path between CaptureKey tags.

For example, the <CaptureKey> entry for a hypothetical PTL file named /usr/local/ctccap/etc/web1.ptl would look like the following:

<CaptureKey>
        <Label>Web1 Key</Label>
        <PrivateKeyFile>/usr/local/ctccap/etc/web1.ptl</PrivateKeyFile>
</CaptureKey>
  1. Log on to the Passive Capture host machine as root and change to directory /usr/local/ctccap/etc.
  2. Open the Passive Capture configuration file, ctc-conf.xml, in a text editor.
  3. Find the following tags. 
    <CaptureKeys></CaptureKeys>
  4. Add a <CaptureKey> entry for each PTL file between the <CaptureKeys> tags.

    The following example illustrates how to add multiple tags.

    <CaptureKeys>
        <CaptureKey>
              <Label>Web1 Key</Label>
              <PrivateKeyFile>/usr/local/ctccap/etc/web1.ptl</PrivateKeyFile>
       </CaptureKey>
       <CaptureKey>
              <Label>Web2 Key</Label>
              <PrivateKeyFile>/usr/local/ctccap/etc/web2.ptl</PrivateKeyFile>
       </CaptureKey>
</CaptureKeys>
  5. Restart the capture programs with the following commands. 
    Tealeaf stop capture
Tealeaf start capture

    If capture fails to start, review capture.log to determine the reason.

  6. Confirm that you have added the keys. Log on to Web Console and confirm that the new keys are listed on the SSL Keys tab.

Add PTL files to the PCA configuration automatically with the Web Console

You can use the Web Console to add private keys that have already been converted to PTL format to the PCA configuration.

Follow this procedure for each file that you want to add to the configuration.
  1. Log in to the Passive Capture Web Console and open the SSL Keys tab.
  2. Click Loaded to view the loaded SSL keys.
  3. Find the file that you want to add to the configuration and enter a descriptive HTTPS key label in the Label field.
  4. Enter the full path name for the PTL file in the Keyfile file name field.
    For example: /usr/local/ctccap/etc/server1.ptl
  5. Click Add.
    The new entry for the PTL file displays on the updated page.
  6. Click Save Changes to add the PTL files to the configuration file.
    The capture programs restarts and includes the new PTL files that you added.

    If capture fails to start, view capture.log to determine the reason.

Related articles

community icon

Join the community

Ask questions, share best practices, and connect with fellow marketers.

Ask a question

Academy

Read how-to articles, guides, and more to help you on the path to success.

Learn more