PKI formats and usage

Available on Windows (win-x86-32, win-x86-64) and Unix (Linux-x86-64, Linux-ia64-64, Sun-x86-64, Sun-SPARC-64)

The SFTP keys can be referenced in the configuration as a PKIKEY identifier, or as a path to a file (for example, SRVPRIVKEY=#/@key). In the case of a PKIKEY identifier, the private or public key is stored in the PKI database.

You can import the following formats in the PKI database:

  • Raw DER format
  • PEM format for RSA private and public key, beginning with “BEGIN RSA PRIVATE KEY” or “BEGIN RSA PUBLIC KEY”, or X.509 public key, beginning with “BEGIN PUBLIC KEY”
  • Encrypted PEM format for RSA private key (PKCS#5), beginning with "BEGIN RSA PRIVATE KEY " and "Proc-Type: 4,ENCRYPTED"
  • PKCS8 format, beginning with “BEGIN PRIVATE KEY” or “BEGIN ENCRYPTED PRIVATE KEY”
  • SSH2 format, beginning with “BEGIN SSH2 PUBLIC KEY”
  • ssh-rsa format, beginning with “ssh-rsa”
Note See the PKIKEYGEN command for details on how to generate and use your own keys.
Note When using the ssh-keygen tool, keys are usually generated in encrypted PEM format, which you can import using the PKIKEY command.

Restrictions

  • Transfer CFT PKIUTIL does not support importing keys (PKIUTIL PKIKEY) if they contain comments.
  • Transfer CFT does not support keys that contain comments, regardless of if you are directly referencing or importing them.
  • Transfer CFT does not support private keys with passphrases.
  • Transfer CFT SFTP only accepts private keys in the PEM RSA format, and public keys in ssh-rsa format. For example, clipubkey=#pubkey.ssh must be in the ssh-rsa format. The keys in the PKI database, however, can be used for SFTP regardless of their format.

About the PKIKEY command

A private key is comprised of both a private and public key component. You can use this private key, as it itself contains two keys, for both the server and the client. However, only the public key portion is used for the client.

The PKIKEY command is similar to the PKICER command. Parameters include:

  • PKIFNAME: The PKI database file ($CFTPKU by default)
  • PKIPASSW: The PKI database password
  • ID: The PKIKEY identifier
  • COMMENT: Free comment
  • STATE: The state of the imported key (ACT or INACT). You cannot use deactivated keys (state=INACT) for SFTP
  • IKFORM: The key format (DER, PEM, PKCS8 or SSH). The "SSH" value includes the SSH2 format and the ssh-rsa format
  • IKPASSW: The key file protection password in PKCS8 or encrypted PEM (PKCS#5)
  • IKNAME: The key file to import
  • MODE: The action to perform (CREATE, REPLACE, DELETE)

Use PKIKEYGEN to generate and import a key pair

You can create SSH keys and store them in the local PKI database as needed. You can use PKIKEYGEN to generate the key pair, which are automatically imported into the local PKI database:

PKIUTIL PKIKEYGEN

ID=KEY_2048,

PKIFNAME=$CFTPKU,

PKIPASSW=CFT,

STATE=ACT,

KEYLEN=2048,

MODE=CREATE,

COMMENT="2048-bits RSA key"

Import keys depending on file format

If you already have keys that you want to use, you can import as described in the following sections.

Import with PKCS8 format

PKIUTIL PKIKEY ID=PRIVATE,COMMENT="My_note",IKFORM=PKCS8,IKPASSW="MyPassw",

IKNAME=./conf/pki/private.pk8,PKIPASSW=CFT,MODE=CREATE

Import with encrypted PEM (PKCS#5) format

PKIUTIL PKIKEY ID=PRIVATE,COMMENT="My_note",IKFORM=PEM,IKPASSW="MyPassw",

IKNAME=./conf/pki/private.pem,PKIPASSW=CFT,MODE=CREATE

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,9E18D04529594FB617BC471F9958C8A7

<encrypted key data in base 64>

-----END RSA PRIVATE KEY---------

Import with private.rsa format

PKIUTIL PKIKEY ID=PRIVRSA, IKFORM=PEM, IKNAME=./private.rsa, PKIPASSW=CFT, MODE=CREATE

-----BEGIN RSA PRIVATE KEY-----                                 

MIICXwIBAAKBgQDDUPaQmmgTL90EaFPvzt9u/1AAxdeXKhTuH6QMTevV7dllkNHe

Lvuq4dYxqD04cM5VWafmSQhgSGJnMqOBWmI7p6SMw95ay3asdhBtPDydtscMi46w

UZBW4FzI2WRwuTK5vx4s2AF8+4wy7tKrR8kxHn2qnXB12ICh5/nnt2syjwIEAAEA

AQKBgQCfp5fU/hJi1LYiuzEZjo3/in2YFCC1tTVkrMKJOEy2E3WoWyfiKZ+YwIA5

GR/p+fP/uojPahWJtsGRP8h9nSc70pHLnrTdSD9iJjo6TN3Qy4wRBYFwz+AapS9m

1ND1LPU2W2I9jX8PAGaeYhcaB9dIpEg2O8KO1bpVyPlr0yvVmQJBAPjuPlfg/FzP

Rt95r2aB1C5roJW+qblAvCLhq/PZsqymrk1V4eRN8frt3ZCQlT0vlSiopIdbgX/y

k8g3oY37eMUCQQDI3O+9LD5FYb7MiKk0a0uLjgLayWzDHT073izj0phTiaJ939tc

Y+m88IOORuvsE7KzDiGxZnsqiQBq0SfqI6tDAkEA5hZQSaoLmT19pNI07erS1JVm

uQKinjjXrOYqqhpurGbkdVcMlJn3MJjsUtNRHlz84bf/W52Y9Uqijk3dZf8qgQJA

aLxzseOpEMqYD9TOzguIl9tT97uCH/dWH6qJI76DOUQSW6pnmrRqg9+x6XVnvXDE

BIPA49z5KkPH2Or48ijpOwJBAMCm2jtFcDnxBSOfM5bHeddNCj2ZBKdSNWTX+dnF

UDYpXmOUXHBz2M2IVsFvjsmu9FZhE+W+ZdWanavR4D5qNbU=                

-----END RSA PRIVATE KEY-----                                   

Import with public.ssh2 format

PKIUTIL PKIKEY ID=PUBSSH2, IKFORM=SSH, IKNAME=./public.ssh2, MODE=CREATE

---- BEGIN SSH2 PUBLIC KEY ----                                                     

AAAAB3NzaC1yc2EAAAADAQABAAAAgQDDUPaQmmgTL90EaFPvzt9u/1AAxdeXKhTuH

6QMTevV7dllkNHeLvuq4dYxqD04cM5VWafmSQhgSGJnMqOBWmI7p6SMw95ay3asdhB

tPDydtscMi46wUZBW4FzI2WRwuTK5vx4s2AF8+4wy7tKrR8kxHn2qnXB12ICh5/nnt2syjw==                                                  

---- END SSH2 PUBLIC KEY ----                                                                                        

Import with public.ssh-rsa format

PKIUTIL PKIKEY ID=PUBSSHRSA, IKFORM=SSH, IKNAME=./public.ssh-rsa, MODE=CREATE

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDDUPaQmmgTL90EaFPvzt9u/1AAxdeXKhTuH6QMT

evV7dllkNHeLvuq4dYxqD04cM5VWafmSQhgSGJnMqOBWmI7p6SMw95ay3asdhBtPDydtscMi46wUZ

BW4FzI2WRwuTK5vx4s2AF8+4wy7tKrR8kxHn2qnXB12ICh5/nnt2syjw== = KeyType=RSA Date=2017

0612 User=MyUser Comment=This is a free comment

Import with public.pem format

PKIUTIL PKIKEY ID=PUBPEM, IKFORM=PEM, IKNAME=./public.pem, MODE=CREATE

-----BEGIN PUBLIC KEY-----                                     

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDUPaQmmgTL90EaFPvzt9u/1AA

xdeXKhTuH6QMTevV7dllkNHeLvuq4dYxqD04cM5VWafmSQhgSGJnMqOBWmI7p6SM

w95ay3asdhBtPDydtscMi46wUZBW4FzI2WRwuTK5vx4s2AF8+4wy7tKrR8kxHn2q

nXB12ICh5/nnt2syjwIDAQAB                                       

-----END PUBLIC KEY-----       

Activate/deactivate a key

Use the ACT/INACT commands to activate or deactivate, respectively, a key when using SFTP.

Example

Use the LISTPKI command to list available keys:

>LISTPKI

Keys: Id. S K Bits

---------------- - - ----

CFT_SSH_PRIV A x 2048

CFT_SSH_PUB A 2048

 

PKIU00I LISTPKI _ Correct ()

Example

This example demonstrates key deactivation where I indicates [INACT] and A indicates [ACT].

>listpki Keys:

Id. S K Bits -----------

CFT_SSH_PRIV A x 2048

CFT_SSH_PUB   A     2048

 

>inact type=key

 

>listpki Keys:

Id. S K Bits -----------

CFT_SSH_PRIV I x 2048

CFT_SSH_PUB   I     2048

Related Links