Certificate and Key Manager (CKM) Overview

The Certificate and Key Manager (CKM) utility is a subsystem on the Sun Secure Application Switch system that allows you to create, manage, and store cryptographic keys and certificates. CKM provides a centralized key management system that serves multiple system applications, such as Secure Sockets Layer (SSL) Protocol and the Secure Shell (SSH) Protocol, to protect data and transactions. CKM generates a new cryptographic key pair, mathematically related private and public data keys indexed by a unique name. A private key is kept secure-never displayed and never transmitted over the network. A public key, when bound to a fully qualified domain name (FQDN) by an authorized Certificate Authority (CA), becomes an X509 certificate. A certificate is a digitally signed document that identifies the subject, and contains the subject's public key and the digital signature of the CA. It is by this form of authentication that SSL transactions are validated.

Identifying keys

Several of the CKM commands use a keyId argument to reference the key pairs. When you are working with existing keys, you must supply a namedIndex (allowing you to tab-complete the existing key pair name). This applies to the following commands:

csr
export
no keypair
show keypair
show keypair verbose
import paste (on an existing key pair)
import url (on an existing key pair)

When you execute commands that create a new key, you must supply keyText that creates a new keyId name. This applies to the following commands:

import paste (on a new key pair)
import url (on a new key pair)
generate

Note:To ensure the highest security, the Sun Secure Application Switch does not store unencrypted private keys in flash or any other memory that can be dumped in a core image. They can not be displayed in the clear for any reason, regardless of the requestor's access privileges.

CKM for the secure sockets layer

CKM can generate two types of key pairs-Digital Signature Algorithm (DSA) for SSH operations or RSA (named for its authors) for SSL operations. Both types are public key algorithms used for digital signatures; RSA provides encryption as well.

Using CKM to manage keys for SSL

When terminating SSL, a virtual service requires an RSA private key and an RSA X.509 certificate. Through the CKM, you can either generate these keys or move them between systems. For example, you can use the import commands to transfer previously generated keys and certificates onto the Sun Secure Application Switch. Or, you can use the export commands to transfer them to other systems. If generating a new key pair, you can build a Certificate Signing Request (CSR), which you can then send to a CA via its Web site. (Verify the method of data transmission at your chosen CA's Web site.) When the CA returns the data in the form of a certificate, you import it onto the system and it overwrites the public key data with the new certificate data.

Note:Although you can create the keys and certificates necessary to implement SSL communication through the Sun Secure Application Switch systems with these commands, unless your system contains the hardware to support SSL, the system does not support it. Verify that the FX-SSL module is installed before assuming that SSL is active on your system. Check with your sales representative if you are unsure.

SSL keys on the Sun Secure Application Switch

The Sun Secure Application Switch can either generate new keys, or if you have previously generated keys, import those for SSL use.