When you export private keys from a web server, you have several options for adding the keys to the PCA. In all cases, you must begin with the key files in
Some methods for adding keys to the PCA convert the files to PTL format and add the converted file to the PCA. You can also convert the
.pfx files to PTL and add the keys separately.
Convert PFX keys to PEM keys
You can run an Open SSL command to convert a
.pfx key to a
- Decrypt the file and rename it as a
.pemfile. Run the following command on the Passive Capture host machine:
openssl pkcs12 -nodes -nocerts -in key1.pfx -out key1.pem
- When prompted for the import password, enter the password that you used when you export the certificate to a
You must receive the following message:
MAC verified OK.
- Validate the resulting
.pemfile before attempting to convert it to PTL format.
Validate a PEM key
To convert a
.pem file to PTL format, the
.pem file must be valid. You can validate a
.pem file with OpenSSL.
/usr/local/ctccap/bin/openssl rsa -check -noout -in <filename>
If the file is a valid
.pem key, you see the following result.
-----BEGIN RSA PRIVATE KEY----- .... (many lines of encoding here) .... -----END RSA PRIVATE KEY-----
Convert private keys to PTL format manually
Begin with the private key as a
.pem file and convert the key to PTL format. To use the converted key, you must add the PTL file to the PCA configuration separately.
Export the private key from the web server as a
.pem file and copy it into the Passive Capture Application (PCA). You then use the
pem2ptl command to convert the key to PTL in place.
- Obtain a separate
.pemfile for each SSL key that you want to convert.
- Transfer the
/usr/local/ctccap/etcon the server that hosts the PCA.
- Log in to the PCA server as the root user and change to directory
- Use the
tealeaf pem2ptlcommand to generate the PTL files for each
.pemfile, as shown in the following examples. You can convert multiple keys at a time.
- To convert keys that are named
server2.pem, run the following command:
tealeaf pem2ptl server1.pem server2.pem
The command creates files that are named
server2.ptlin the same directory as the
The command sets the ownership and permissions of the resulting PTL files to allow only the user
ctccapto access the files.
tealeaf pem2ptlcommand does not create new PTL files if they already exist in the folder.
- If you are using an older version of the PCA that does not provide the
tealeaf pem2ptlcommand, use the following commands for each
.pemfile that you want to encrypt. Replace
server1.pemwith the name of your
/usr/local/ctccap/bin/tltenc -in server1.pem chmod u=rw,go= server1.ptl chown ctccap server1.ptl
To convert multiple files, use the
xargscommands to encrypt them. Enter the following command as a single line. The
lscommand generates a list of file names. The pipe allows the
xargscommand to use the list and run the
tltencutility against each file name in the list.
ls -1 server1.pem server2.pem server3.pem | xargs -L 1 -t \ /usr/local/ctccap/bin/tltenc -in
After you run the previous command, use the following commands to set the ownership and permissions for all PTL files. It is safe to use wildcards because the ownership and permissions are the ones that are needed by the PCA to access any PTL file.
chmod u=rw,go= *.ptl chown ctccap *.ptl
- To convert keys that are named
- Remove the
.pemfiles from the PCA server. Confirm that Passive Capture successfully decrypts SSL connections before you permanently delete the
After the SSL keys are loaded onto the Passive Capture host server and encrypted into PTL files, configure Passive Capture to use the PTL files. When you must configure a few PTL files, use the SSL Keys tab in the Web Console. When you configure PTL files, you can find it easier to use a text editor like nano or vi to edit the configuration file directly.
Convert private keys to PTL format automatically
The Passive Capture Application (PCA) can automatically convert
.pem files to the encrypted PTL keys that the PCA requires.
Verify that any
.pem file that you are converting contains the RSA private key. The
.pem files must not be password-protected.
To convert one or more
.pem keys to PTL keys automatically, copy each
.pem file into the
capturekeys directory and restart PCA capture services.
When the PCA capture service starts or restarts, the PCA converts each
.pem file in the
capturekeys directory to
.ptl format and loads onto the PCA server.
.pem file remains in the
capturekeys directory after the conversion. To avoid reconverting the files each time you restart the PCA, remove the
.pem files from the
capturekeys directory after you verify successful conversion.
.pemfiles at a time.
- Copy the
.pemfile to the following directory:
- Restart PCA services.
On startup, the PCA automatically converts each
.pemkey in the
capturekeysdirectory to a separate
For example, the PCA converts the file
myprivatekey.pemto a PTL key named
- To verify that a
.ptlkey was properly loaded, review the capture log file (
var/log/tealeaf/capture.log). Look for a log entry similar to the following message.
reassd: Autoloaded key file: /usr/local/ctccap/etc/capturekeys/myprivatekey.ptl
Upload .pem or .pfx keys with the Web Console
You can use the Web Console to upload private keys in
.pfx format to the PCA. Using the Web Console enables you to enter the password for a
.pfx key during the upload.
- Password protected keys (pfx) are only converted if the correct password is provided.
- Password protected keys are converted directly to ptl files.
- Compressed files must be flat (no directories).
- Compressed files can only contain pem files.
The upload puts the
.pfx files in the
/usr/local/ctccap/etc/capturekeys directory, where they can be converted to PTL format by restarting the PCA.
httpslink, you can only view the existing PTL keys.
- Open the Web Console and open the SSL Keys tab.
- Click Capture Keys.
- Browse to find the file that you want to upload.
- If you selected file a password-protected
.pfxfile, enter the password in the Password field.
- Click Upload to convert the file to PTL format and add it to the
After the required files are uploaded, the PCA must be restarted on the Console tab.
Add PTL files to the PCA configuration manually
You can manually add
.ptl files to the PCA configuration by editing the
To add PTL keys manually, you must add a separate entry for each key in the
CaptureKeys section of the configuration file.
.ptl file must be listed separately and provide a label and a complete file path between
For example, the
<CaptureKey> entry for a hypothetical PTL file named
/usr/local/ctccap/etc/web1.ptl would look like the following:
<CaptureKey> <Label>Web1 Key</Label> <PrivateKeyFile>/usr/local/ctccap/etc/web1.ptl</PrivateKeyFile> </CaptureKey>
- Log on to the Passive Capture host machine as
rootand change to directory
- Open the Passive Capture configuration file,
ctc-conf.xml, in a text editor.
- Find the following tags.
- Add a
<CaptureKey>entry for each PTL file between the
The following example illustrates how to add multiple tags.
<CaptureKeys> <CaptureKey> <Label>Web1 Key</Label> <PrivateKeyFile>/usr/local/ctccap/etc/web1.ptl</PrivateKeyFile> </CaptureKey> <CaptureKey> <Label>Web2 Key</Label> <PrivateKeyFile>/usr/local/ctccap/etc/web2.ptl</PrivateKeyFile> </CaptureKey> </CaptureKeys>
- Restart the capture programs with the following commands.
Tealeaf stop capture Tealeaf start capture
If capture fails to start, review
capture.logto determine the reason.
- Confirm that you have added the keys. Log on to Web Console and confirm that the new keys are listed on the SSL Keys tab.
Add PTL files to the PCA configuration automatically with the Web Console
You can use the Web Console to add private keys that have already been converted to PTL format to the PCA configuration.
- Log in to the Passive Capture Web Console and open the SSL Keys tab.
- Click Loaded to view the loaded SSL keys.
- Find the file that you want to add to the configuration and enter a descriptive HTTPS key label in the Label field.
- Enter the full path name for the PTL file in the Keyfile file name field.
- Click Add.
The new entry for the PTL file displays on the updated page.
- Click Save Changes to add the PTL files to the configuration file.
The capture programs restarts and includes the new PTL files that you added.
If capture fails to start, view
capture.logto determine the reason.
Please sign in to leave a comment.