Product Documentation

Creating and Transferring FIPS Keys

Sep 13, 2016

After configuring the HSM of your FIPS appliance, you are ready to create a FIPS key. The FIPS key is created in the appliance’s HSM. You can then export the FIPS key to the appliance’s CompactFlash card as a secured backup. Exporting the key also enables you to transfer it by copying it to the /flash of another appliance and then importing it into the HSM of that appliance.

Instead of creating a FIPS key, you can import an existing FIPS key or import an external key as a FIPS key. If you are adding a certificate-key pair of 2048 bits on the MPX 9700/10500/12500/15500 FIPS appliances, make sure that you have the correct certificate and key pair.

Note: If you are planning an HA setup, make sure that the FIPS appliances are configured in an HA setup before creating a FIPS key.

Creating a FIPS Key

Before creating a FIPS key, make sure that the HSM is configured.

To create a FIPS key by using the configuration utility

  1. Navigate to Traffic Management > SSL > FIPS.
  2. In the details pane, on the FIPS Keys tab, click Add.
  3. In the Create FIPS Key dialog box, specify values for the following parameters:
    • FIPS Key Name*—fipsKeyName
    • Modulus*—modulus
    • Exponent*—exponent

    *A required parameter

  4. Click Create, and then click Close.
  5. On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you just created are correct.

To create a FIPS key by using the command line interface

At the command prompt, type the following commands to create a FIPS key and verify the settings:

  • create ssl fipsKey <fipsKeyName> -modulus <positive_integer> [-exponent ( 3 | F4 )]
  • show ssl fipsKey [<fipsKeyName>]

Example

 
create fipskey Key-FIPS-1 -modulus 2048 -exponent 3 
show ssl fipsKey Key-FIPS-1 
FIPS Key Name: Key-FIPS-1 Modulus: 2048   Public Exponent: 3 (Hex: 0x3) 

Exporting a FIPS Key

Citrix recommends that you create a backup of any key created in the FIPS HSM. If a key in the HSM is deleted, there is no way to create the same key again, and all the certificates associated with it are rendered useless.

In addition to exporting a key as a backup, you might need to export a key for transfer to another appliance.

The following procedure provides instructions on exporting a FIPS key to the /nsconfig/ssl folder on the appliance's CompactFlash and securing the exported key by using a strong asymmetric key encryption method.

To export a FIPS key by using the command line interface

At the command prompt, type:
export ssl fipsKey <fipsKeyName> -key <string>

Example

export fipskey Key-FIPS-1 -key Key-FIPS-1.key

To export a FIPS key by using the configuration utility

  1. Navigate to Traffic Management > SSL > FIPS
  2. In the details pane, on the FIPS Keys tab, click Export.
  3. In the Export FIPS key to a file dialog box, specify values for the following parameters:
    • FIPS Key Name*—fipsKeyName
    • File Name*—key (To put the file in a location other than the default, you can either specify the complete path or click the Browse button and navigate to a location.)

    *A required parameter

  4. Click Export, and then click Close.

Importing an Existing FIPS Key

To use an existing FIPS key with your FIPS appliance, you need to transfer the FIPS key from the hard disk of the appliance into its HSM.

Note: To avoid errors when importing a FIPS key, make sure that the name of the key imported is the same as the original key name when it was created.

To import a FIPS key on the MPX 9700/10500/12500/15500 FIPS appliances by using the command line interface

At the command prompt, type the following commands to import a FIPS key and verify the settings:
  • import ssl fipsKey <fipsKeyName> -key <string> -inform SIM -exponent (F4 | 3)
  • show ssl fipskey <fipsKeyName>
Example
import fipskey Key-FIPS-2 -key Key-FIPS-2.key -inform SIM -exponent F4 
show ssl fipskey key-FIPS-2 
FIPS Key Name: Key-FIPS-2 Modulus: 2048   Public Exponent: F4 (Hex value 0x10001)

To import a FIPS key by using the configuration utility

  1. Navigate to Traffic Management > SSL > FIPS
  2. In the details pane, on the FIPS Keys tab, click Import.
  3. In the Import as a FIPS Key dialog box, select FIPS key file and set values for the following parameters:
    • FIPS Key Name*
    • Key File Name*—To put the file in a location other than the default, you can either specify the complete path or click Browse and navigate to a location.
    • Exponent*

    *A required parameter

  4. Click Import, and then click Close.
  5. On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you just imported are correct.

Importing External Keys

In addition to transferring FIPS keys that are created within the NetScaler appliance’s HSM, you can transfer external private keys (such as those created on a standard NetScaler, Apache, or IIS) to a FIPS NetScaler appliance. External keys are created outside the HSM, by using a tool such as OpenSSL. Before importing an external key into the HSM, copy it to the appliance's flash drive under /nsconfig/ssl.

Importing an external key as a FIPS key on the MPX 9700/10500/12500/15500 FIPS appliances by using the command line interface

On the MPX 9700/10500/12500/15500 FIPS appliances, the -exponent parameter in the import ssl fipskey command is not required while importing an external key. The correct public exponent is detected automatically when the key is imported, and the value of the -exponent parameter is ignored.

The NetScaler FIPS appliance does not support external keys with a public exponent other than 3 or F4.

You do not need a wrap key on the MPX 9700/10500/12500/15500 FIPS appliances.

You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 FIPS appliance. To import the key you need to first decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:

openssl rsa -in <EncryptedKey.key> > <DecryptedKey.out>

To import an external key as a FIPS key to an MPX 9700/10500/12500/15500 FIPS appliance by using the command line interface

  1. Copy the external key to the appliance's flash drive.
  2. If the key is in .pfx format, you must first convert it to PEM format. At the command prompt, type:
    • convert ssl pkcs12 <output file> -import -pkcs12File <input .pfx file name> -password <password>
  3. At the command prompt, type the following commands to import the external key as a FIPS key and verify the settings:
    • import ssl fipsKey <fipsKeyName> -key <string> -informPEM
    • show ssl fipskey<fipsKeyName>
Example
convert ssl pkcs12 iis.pem -password 123456 -import -pkcs12File iis.pfx 
import fipskey Key-FIPS-2 -key iis.pem -inform PEM  
show ssl fipskey key-FIPS-2 
FIPS Key Name: Key-FIPS-2 Modulus: 0   Public Exponent: F4 (Hex value 0x10001)
Note: The modulus is incorrectly displayed as zero in the above example. The discrepancy does not affect SSL functionality.

To import an external key as a FIPS key to an MPX 9700/10500/12500/15500 FIPS appliance by using the configuration utility

  1. If the key is in .pfx format, you must first convert it to PEM format.
    1. Navigate to Traffic Management > SSL.
    2. In the details pane, under Tools, click Import PKCS#12.
    3. In the Import PKCS12 File dialog box, set the following parameters:
      • Output File Name*
      • PKCS12 File Name*—Specify the .pfx file name.
      • Import Password*
      • Encoding Format
      *A required parameter
  2. Navigate to Traffic Management > SSL > FIPS
  3. In the details pane, on the FIPS Keys tab, click Import.
  4. In the Import as a FIPS Key dialog box, select PEM file, and set values for the following parameters:
    • FIPS Key Name*
    • Key File Name*—To put the file in a location other than the default, you can either specify the complete path or click Browse and navigate to a location.

    *A required parameter

  5. Click Import, and then click Close.
  6. On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you just imported are correct.