question

Jc W. avatar image
Jc W. asked ·

How can I delete expired and unused SSL encryption keys from our AMD?

nam probe
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Chris V. avatar image
Chris V. answered ·

It's a manual process.

Unless you're using a HSM (Hardware Security Module, aka hardware SSL accelerator), the keys will be stored on disk in the:

/usr/adlex/config/keys folder

use the rcon command

show ssldecr keys

It'll list which keys are loaded, and show which ones are actually being used for traffic, you can then remove the keys from the keylist file and then delete the keys from disk.

If you are using a HSM, you should follow the instructions with the card, as each card has it's own command line tools for key management.

2 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Thanks for your quick response Chris! Unfortunately I'm a DCRUM newb and forgot to mention that we're using an nCipher HSM.

I've found multiple examples of how to load a key and have done that successfully but have been unable to find anything related to the card. I'll hit up our company reps and see if anyone can more info.

Thanks again for your help.

0 Likes 0 · ·

Hi Jc W,

As Chris said it's manual process and the following are what I've done in our environment.

  1. make a backup for /usr/adlex/config/keys/whateverSSL.pem.bak (in case there is any issue)
  2. copy the new whateverSSL.pem and replace the old whateverSSL.pem. (I've used this step due to some constraint and lazy to make changes in the key list)
  3. restart the amd services by ndstop & ndstart,
  4. Once the execute the show ssldecr keys and found no issue then proceed
rm -rf /usr/adlex/config/keys/whateverSSL.pem.bak 

voila, finish.

Hope this help, from newbie to newbie :-)

0 Likes 0 · ·
Antoine B. avatar image
Antoine B. answered ·

Hi,

Using a nCipher SSL card, when you import a SSL key, the tool creates a file "key_pkcs11_*" in the folder "/opt/nfast/kmdata/local"

See example of output:

Key successfully imported. Path to key: /opt/nfast/kmdata/local/key_pkcs11_uced028e5251b7b6891e7e59dec5428d871f92241b-c70e6451e8d793ca80a497267ccb9bc73bd55edb

I would say deleting the good "key_pkcs11_*" file will make the card not to use the related ssl private key stored in the nCipher SSL card.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Adam P. avatar image
Adam P. answered ·

I'm not sure if there is an option to delete some keys.

It looks like you can only destroy entire security world, create it again ad add only good keys ...

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.