To capture and decrypt web SSL-encrypted web traffic, you must add the appropriate SSL private keys to the Passive Capture Application (PCA) configuration. Before you add the keys, you must convert them to the proprietary encrypted PTL format.
Typically, SSL private keys are provided in PEM format. Before you begin, verify that any PEM file that you are planning to convert contains the RSA private key.
The PEM file is an ASCII text file that is containing the SSL key in an encoded form. For example:
-----BEGIN RSA PRIVATE KEY-----
MII ... (many lines of encoding here)
....
-----END RSA PRIVATE KEY-----
Private keys can also be provided as a PFX file. Both types of keys must be converted to PTL format for use by the PCA.
Making a private key available for use by the PCA involves the following steps.
- Acquire the private key. Export the key from the web server that is communicating with the PCA
as a
.pem
or.pfx
file. The exact steps that are required depend on the web server. - Convert the key to PTL format.
- Add the PTL files to the PCA configuration manually or automatically.
Private key encryption for the PCA
You cannot add a .pem
or .pfx
file directly from a web server.
Instead, you must convert the key file to the PTL format. PTL is a proprietary encrypted format.
The encrypted PTL file contains the SSL key and a machine-specific hash ID. The file is encrypted by using the 3DES algorithm. Because the encryption is specific to a single PCA, the contents of the SSL key cannot be accessed and used by any other PCA.
The encrypted key embeds some data that is unique to the Network Interface Cards (NIC) installed on the PCA host machine. If you add or remove NICs or move the PCA to a new machine with different cards, you must regenerate the PTL keys by using the master key PEM files.
Acquiring SSL private keys
To acquire keys that are required to decrypt web application traffic that is transmitted over HTTPS, you must export a copy of the private key from an existing web server to the Passive Capture software.
Export the key in the .pem
or .pfx
format that can be converted
and loaded into the Passive Capture Application. The exact steps required to export the key from the
web server depend on the web server. Consult the web server documentation for the required
procedures.