When you export private keys from a web server, you have several options for adding the keys to the PCA. In all cases, you must begin with the key files in .pem
or .pfx
format.
Some methods for adding keys to the PCA convert the files to PTL format and add the converted file to the PCA. You can also convert the .pem
or .pfx
files to PTL and add the keys separately.
Convert PFX keys to PEM keys
You can run an Open SSL command to convert a .pfx
key to a .pem
key.
- Decrypt the file and rename it as a
.pem
file. Run the following command on the Passive Capture host machine:openssl pkcs12 -nodes -nocerts -in key1.pfx -out key1.pem
- When prompted for the import password, enter the password that you used when you export the certificate to a
.pfx
file.You must receive the following message:
MAC verified OK.
- Validate the resulting
.pem
file before attempting to convert it to PTL format.
Validate a PEM key
To convert a .pem
file to PTL format, the .pem
file must be valid. You can validate a .pem
file with OpenSSL.
/usr/local/ctccap/bin/openssl rsa -check -noout -in <filename>
If the file is a valid .pem
key, you see the following result.
-----BEGIN RSA PRIVATE KEY-----
.... (many lines of encoding here)
....
-----END RSA PRIVATE KEY-----
Convert private keys to PTL format manually
Begin with the private key as a .pem
file and convert the key to PTL format. To use the converted key, you must add the PTL file to the PCA configuration separately.
Export the private key from the web server as a .pem
file and copy it into the Passive Capture Application (PCA). You then use the pem2ptl
command to convert the key to PTL in place.
- Obtain a separate
.pem
file for each SSL key that you want to convert. - Transfer the
.pem
files to/usr/local/ctccap/etc
on the server that hosts the PCA. - Log in to the PCA server as the root user and change to directory
/usr/local/ctccap/etc
. - Use the
tealeaf pem2ptl
command to generate the PTL files for each.pem
file, as shown in the following examples. You can convert multiple keys at a time.- To convert keys that are named
server1.pem
andserver2.pem
, run the following command:tealeaf pem2ptl server1.pem server2.pem
The command creates files that are named
server1.ptl
andserver2.ptl
in the same directory as the.pem
files.The command sets the ownership and permissions of the resulting PTL files to allow only the user
ctccap
to access the files.The
tealeaf pem2ptl
command does not create new PTL files if they already exist in the folder. - If you are using an older version of the PCA that does not provide the
tealeaf pem2ptl
command, use the following commands for each.pem
file that you want to encrypt. Replaceserver1.pem
with the name of your.pem
file:/usr/local/ctccap/bin/tltenc -in server1.pem chmod u=rw,go= server1.ptl chown ctccap server1.ptl
To convert multiple files, use the
ls
andxargs
commands to encrypt them. Enter the following command as a single line. Thels
command generates a list of file names. The pipe allows thexargs
command to use the list and run thetltenc
utility against each file name in the list.ls -1 server1.pem server2.pem server3.pem | xargs -L 1 -t \ /usr/local/ctccap/bin/tltenc -in
After you run the previous command, use the following commands to set the ownership and permissions for all PTL files. It is safe to use wildcards because the ownership and permissions are the ones that are needed by the PCA to access any PTL file.
chmod u=rw,go= *.ptl chown ctccap *.ptl
- To convert keys that are named
- Remove the
.pem
files from the PCA server. Confirm that Passive Capture successfully decrypts SSL connections before you permanently delete the.pem
files.
After the SSL keys are loaded onto the Passive Capture host server and encrypted into PTL files, configure Passive Capture to use the PTL files. When you must configure a few PTL files, use the SSL Keys tab in the Web Console. When you configure PTL files, you can find it easier to use a text editor like nano or vi to edit the configuration file directly.
Convert private keys to PTL format automatically
The Passive Capture Application (PCA) can automatically convert .pem
files to the encrypted PTL keys that the PCA requires.
Verify that any .pem
file that you are converting contains the RSA private key. The .pem
files must not be password-protected.
To convert one or more .pem
keys to PTL keys automatically, copy each .pem
file into the capturekeys
directory and restart PCA capture services.
When the PCA capture service starts or restarts, the PCA converts each .pem
file in the capturekeys
directory to .ptl
format and loads onto the PCA server.
Each .pem
file remains in the capturekeys
directory after the conversion. To avoid reconverting the files each time you restart the PCA, remove the .pem
files from the capturekeys
directory after you verify successful conversion.
.pem
files at a time.- Copy the
.pem
file to the following directory:/usr/local/ctccap/etc/capturekeys
- Restart PCA services.
On startup, the PCA automatically converts each
.pem
key in thecapturekeys
directory to a separate.ptl
key.For example, the PCA converts the file
myprivatekey.pem
to a PTL key namedmyprivatekey.ptl
. - To verify that a
.ptl
key was properly loaded, review the capture log file (var/log/tealeaf/capture.log
). Look for a log entry similar to the following message.reassd[4681]: Autoloaded key file: /usr/local/ctccap/etc/capturekeys/myprivatekey.ptl
Upload .pem or .pfx keys with the Web Console
You can use the Web Console to upload private keys in .pem
or .pfx
format to the PCA. Using the Web Console enables you to enter the password for a .pfx
key during the upload.
- Password protected keys (pfx) are only converted if the correct password is provided.
- Password protected keys are converted directly to ptl files.
- Compressed files must be flat (no directories).
- Compressed files can only contain pem files.
The upload puts the .pem
or .pfx
files in the /usr/local/ctccap/etc/capturekeys
directory, where they can be converted to PTL format by restarting the PCA.
https
link, you can only view the existing PTL keys.- Open the Web Console and open the SSL Keys tab.
- Click Capture Keys.
- Browse to find the file that you want to upload.
- If you selected file a password-protected
.pfx
file, enter the password in the Password field. - Click Upload to convert the file to PTL format and add it to the
capturekeys
directory.
After the required files are uploaded, the PCA must be restarted on the Console tab.
Add PTL files to the PCA configuration manually
You can manually add .ptl
files to the PCA configuration by editing the ctc-conf.xml
file.
To add PTL keys manually, you must add a separate entry for each key in the CaptureKeys
section of the configuration file.
Each .ptl
file must be listed separately and provide a label and a complete file path between CaptureKey
tags.
For example, the <CaptureKey>
entry for a hypothetical PTL file named /usr/local/ctccap/etc/web1.ptl
would look like the following:
<CaptureKey>
<Label>Web1 Key</Label>
<PrivateKeyFile>/usr/local/ctccap/etc/web1.ptl</PrivateKeyFile>
</CaptureKey>
- Log on to the Passive Capture host machine as
root
and change to directory/usr/local/ctccap/etc
. - Open the Passive Capture configuration file,
ctc-conf.xml
, in a text editor. - Find the following tags.
<CaptureKeys></CaptureKeys>
- Add a
<CaptureKey>
entry for each PTL file between the<CaptureKeys>
tags.The following example illustrates how to add multiple tags.
<CaptureKeys> <CaptureKey> <Label>Web1 Key</Label> <PrivateKeyFile>/usr/local/ctccap/etc/web1.ptl</PrivateKeyFile> </CaptureKey> <CaptureKey> <Label>Web2 Key</Label> <PrivateKeyFile>/usr/local/ctccap/etc/web2.ptl</PrivateKeyFile> </CaptureKey> </CaptureKeys>
- Restart the capture programs with the following commands.
Tealeaf stop capture Tealeaf start capture
If capture fails to start, review
capture.log
to determine the reason. - Confirm that you have added the keys. Log on to Web Console and confirm that the new keys are listed on the SSL Keys tab.
Add PTL files to the PCA configuration automatically with the Web Console
You can use the Web Console to add private keys that have already been converted to PTL format to the PCA configuration.
- Log in to the Passive Capture Web Console and open the SSL Keys tab.
- Click Loaded to view the loaded SSL keys.
- Find the file that you want to add to the configuration and enter a descriptive HTTPS key label in the Label field.
- Enter the full path name for the PTL file in the Keyfile file name field.
For example:
/usr/local/ctccap/etc/server1.ptl
- Click Add.
The new entry for the PTL file displays on the updated page.
- Click Save Changes to add the PTL files to the configuration file.
The capture programs restarts and includes the new PTL files that you added.
If capture fails to start, view
capture.log
to determine the reason.