Configuring IP Router Parameters
38 Router Configuration Guide
• key-rollover keyword: see the RSA key pair rollover mechanism section that follows.
• Creates the file cfx:\system-pki\secureNdKey (fixed directory and file name) and
saves the imported key in that file in encrypted der format (same as the admin
certificate import command).
• The RSA key pair is uploaded in the memory of SeND.
RSA key pair rollover mechanism
To trigger a key rollover, use the admin certificate secure-nd-import command described
in the previous section Import an online/offline generated RSA key pair.
For example
admin certificate secure-nd-import cf1:\myDir\myOtherRsaKeyPair format der key-
rollover
• If CGAs exist that are generated based on an auto-generated or previously imported
RSA key pair and the key-rollover keyword is not specified, the secure-nd-import
command is refused.
• If a secure-nd-import with key-rollover is requested while a previous key rollover
is still being handled, the new command is refused.
• If the secure-nd-import command is accepted, the imported RSA key pair is written
to the file cfx:\system-pki\secureNdKey and loaded to SeND. Existing CGAs if any
will be regenerated.
• While handling a key rollover, SeND keeps track of which interface uses which RSA
key pair. Hence temporarily SeND can have two RSA key pairs in use. At all times
only the latest RSA key pair is stored in the file cfx:\system-pki\secureNdKey. When
the rollover is finished, the RSA key pair that is no longer referred to, is deleted from
SeND’s memory.
Auto-generation of RSA key pair
The first time an interface becomes SeND enabled, SeND needs an RSA key pair to generate
or check a modifier and to generate a CGA.
If the operator did not import an RSA key pair for SeND, an auto-generated RSA key pair
will be used as a fallback.
The auto-generated RSA key pair is synced to the standby CPM as it is done in the previous
release, but it will not be written to the CF. Therefore, all CGAs generated via an auto-
generated RSA key pair, are not persistent. A warning will be given whenever a non-
persistent CGA is generated.
The admin certificate secure-nd-import command without the key-rollover keyword will
be refused if CGAs exist that made use of the auto-generated RSA key pair. Specifying the
key-rollover keyword will result in regeneration of the CGAs.
To Next Page
Loading...
