Managing private keys
SSL certificates that are managed by the private key agent are indicated in the Private Key column on the SSL Certificates page.
Private key management, including manual upload, download, and deletion, is performed by navigating to the SSL Certificate dialog accessed through the SSL Certificates page.
Uploading and downloading private keys
To upload or download the private key associated with a managed certificate, you must be logged in to SCM on a computer in the same local network on which the private key agent is installed, and have a personal authentication certificate installed on your computer.
Private keys can only be uploaded and downloaded by administrators that have a valid client certificate selected under the Certificate Auth option in their administrator settings.
When downloaded, the private key agent retrieves a copy of the certificate from SCM over an encrypted connection, merges it with the private key, and provisions the certificate to the requestor. This ensures the private key doesn’t leave the network.
| Although the upload or download is initiated via SCM, the private key is not transferred to the SCM servers, and the private key never leaves your network. |
Upload private keys
-
Navigate to .
-
Select the appropriate certificate and click View.
-
Select the Management tab and expand Locations.
-
Click Create and select Import Private Key.
-
Paste the private key or click Upload From File and select the private key.
-
Enter the Key Passphrase.
-
Click Save.
Download public and private keys
-
Navigate to .
-
Select the appropriate certificate and click View.
-
Click the Download icon.
-
Select Certificate and Private Key.
-
Select the appropriate download format.
The supported formats are:
-
.p12 -
.jks -
.pem
-
-
Set the passphrase for the private key download.
-
Click Download.
Remove private keys
-
Navigate to .
-
Select the appropriate certificate and click Details.
-
In the SSL Certificate dialog, select the Management tab, and expand Locations.
-
Next to the Private Key Agent location, click Delete.
Back up private keys
When using a Local PKS, you can configure backup for the private key agent on a remote SFTP server and run scheduled backups.
| While backup is only available for a Local PKS, you can restore keys from the backup to any PKS. |
-
Navigate to .
-
Complete the Backup Settings fields based on the information provided in the following table.
Field Description SFTP location
The path on the SFTP server where the backup is to be created
SFTP User
The username of your account on the SFTP server
SFTP Password
The password of your account on the SFTP server
Backup File Password
The password for your backup file
This is required when restoring from the backup.
Frequency
The schedule for how and when backups should occur
-
Manual — Backups are run manually on the Private Key Agent page
You should run the backup every time a new private key is uploaded to the PKS or a new certificate is enrolled using the CSR auto-generator.
-
Daily — (Recommended) Backups are run daily at the time specified in the Next backup at list.
-
-
Click Save.
Restore private keys
If the private key agent is lost, you can restore the keys from your backup by installing another private key agent and configuring it from the Private Key Store page.
-
Navigate to .
-
Complete the Restore Existing Private Keys Store From Backup fields based on the information provided in the following table.
Field Description SFTP file location
The path on the SFTP server where the backup is to be created
SFTP User
The username of your account on the SFTP server
SFTP Password
The password of your account on the SFTP server
Backup File Password
The password for your backup file
-
Click Restore.