A Key Pair contains a private key and its associated certificate chain. KeyPairs can be used to digitally sign objects such as Java applications. Key Pairentries are represented in KeyStore Explorer by the following icon:
SSH Keystore File This article discusses the creation of the.jks file. Once you create the file it needs to be placed in the Program FilesStayLinked folder. When using Public-Private key authentication, StayLinked needs specific settings otherwise it will not work. There are two kinds of keys: Server or host keys, which identify the server to the user, and user keys, which allow logging in. The private host key of the server is stored in /etc/ssh/.The corresponding public key is automatically added (after a prompt) to knownhosts in /.ssh on the client. The purpose of these keys is detect a man-in-the-middle (MITM) attack: If the host key suddenly. Decision Central provides an SSH keystore service to enable user SSH authentication. It provides a configurable default SSH keystore, extensible APIs (for custom implementations), and support for multiple SSH public keys formats. You can access the SSH Keys option from the Admin page to register your SSH public keys.
As the private key part of the Key Pair should remain secret, Key Pair entriesare normally protected by a password. In KeyStore Explorer such entries aredescribed as being locked and have a closed padlock displayed againstthem:
To access the private key the entry must be unlocked (see next chapter)by supplying the correct password. If an entry is successfully unlocked thenan open padlock is displayed against it:
If a Key Pair entry is unlocked once during a KeyStore Explorer session it does not need to be unlocked again. A Key Pair entry may be unlocked explicitly or as part of an operation that requires the private key.
A Key Pair must be unlocked to utilize it for operations such as digital signing or to view or export the private key.
Unlock a Key Pair
To unlock a Key Pair:- Right-click on the Key Pair entry in the KeyStore Entries table. Select Unlock from the pop-up menu.
- The Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- The Key Pair entry's lock status will be changed to unlocked in the KeyStore Entries table.
View a Key Pair's Certificate Chain
To view a Key Pair's certificate chain:- Right-click on the Key Pair entry in the KeyStore Entries table. Select the View Details sub-menu from the pop-up menu and from there choose Certificate Chain Details. Alternatively, double-click the Key Pair entry.
- The Certificate Details dialog will appear. After viewing the details close the dialog by pressing the OK button.
View a Key Pair's Private Key
To view a Key Pair's private key:- Right-click on the Key Pair entry in the KeyStore Entries table. Select the View Details sub-menu from the pop-up menu and from there choose Private Key Details.
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- The Private Key Details dialog will appear. After viewing the details close the dialog by pressing the OK button.
View a Key Pair's Public Key
To view a Key Pair's public key:- Right-click on the Key Pair entry in the KeyStore Entries table. Select the View Details sub-menu from the pop-up menu and from there choose Public Key Details.
- The Public Key Details dialog will appear. After viewing the details close the dialog by pressing the OK button.
Generate a Key Pair
To generate a Key Pair:- From the Tools menu, choose Generate Key Pair. Alternatively click on the Generate Key Pair tool bar button:
- The Generate Key Pair dialog will be displayed. Select an Algorithm and a Key Size and press the OK button.
- The Generating Key Pair dialog will be displayed and will remain visible until Key Pair generation has completed. For larger key sizes this may be quite some time.
- The Generate Key Pair Certificate dialog will be displayed.
- Select a Version and Signature Algorithm and enter a Validity Period, Serial Number and Name.
- Optionally, for a version 3 certificate, add certificate extensions by clicking on the Add Extensions button.
- Press the OK button.
- The New Key Pair Entry Alias dialog will be displayed.
- Enter the alias for the new Key Pair entry and press the OK button.
- If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
- The new Key Pair entry will appear in the KeyStore Entries table.
Ssh Keystore Windows
Generate a CSR
To generate a CSR for a Key Pair:- Right-click on the Key Pair entry in the KeyStore Entries table. Select Generate CSR from the pop-up menu.
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- The Generate CSR dialog is displayed. Select a Format and Signature Algorithm and enter a Challenge.
- For PKCS#10 format you can optionally enter a company name (which becomes an 'unstructuredName' attribute in the request) and/or add the extensions from the certificate to the request. The latter is useful for SSL certificates with SubjectAlternativeName extensions.
- Use the Browse button to select a CSR File.
- Press the OK button to commence generation and produce the CSR.
Import a CA Reply
To import a CA Reply into a Key Pair:- Select the drive and folder where the CA Reply file is stored.
- Click on the required CA Reply file or type the filename into the File Name text box.
- Click on the Import button.
- If the Import CA Reply Trust Check is enabled and the CA Reply file contains a single certificate:
- If KeyStore Explorer can establish a trust path between the certificate and an existing self-signed Trusted Certificate in your KeyStore or the Authority Certificates then the import will continue. Otherwise it will fail at this point.
- Alternatively if the Import CA Reply Trust Check is enabled and the CA Reply file contains a chain of certificates:
- KeyStore Explorer will attempt to match the reply's root CA to an existing Trusted Certificate in your KeyStore or the Authority Certificates.
- If it cannot then the Certificate Details dialog will appear displaying the details of the reply's root CA certificate for you to verify.
- After viewing the details close the dialog by pressing the OK button.
- A further dialog will appear asking if you wish accept the certificate.
- Press the Yes button if you wish to trust the certificate and import the CA Reply and No if you do not. If you reply No the import will fail at this point.
- The Key Pair entry will be updated to reflect the content of the CA Reply.
Get a Key Pair Signed by a CA (Certificate Authority)
To get a Key Pair signed by a CA:- First create a new KeyStore.
- Either import an existing Key Pair into the KeyStore or generate a new Key Pair in the KeyStore.
- Next generate a CSR (Certificate Signing Request) file from the Key Pair.
- Send the CSR file to a CA for signing. Each CA has different procedures for signing certificates and will charge a fee. Check the CA's web site for details.
- The CA will send back a CA Reply. This will most likely take the form of a file with the extension p7r or cer.
- Import the CA Reply into the original Key Pair.
- The Key Pair has now been signed by the CA. View the Key Pair's certificate chain. Your certificate, at the end of the chain, will contain the CA's details in the issuer field.
- Finally save the KeyStore.
Append to Certificate Chain
To append a certificate to the end of a Key Pair's Certificate Chain:- Right-click on the Key Pair entry in the KeyStore Entries table. Select the Edit Certificate Chain sub-menu from the pop-up menu and from there choose Append Certificate.
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- The Append Certificate dialog will appear.
- Select the drive and folder where the certificate file to be appended is stored.
- Click on the required certificate file or type the filename into the File Name text box.
- Click on the Append button.
- For the append to succeed, the chosen certificate's private key must have been used to sign the end certificate of the chain. An indication that this is the case is if the chosen certificate's subject is identical to the end certificate's issuer.
- If the append is successful the Key Pair entry's certificate chain will be updated to include the appended certificate.
Remove from Certificate Chain
To remove a certificate from the end of a Key Pair's Certificate Chain:- Right-click on the Key Pair entry in the KeyStore Entries table. Select the Edit Certificate Chain sub-menu from the pop-up menu and from there choose Remove Certificate.
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- For the removal to succeed, certificate chain must contain more than one certificate.
- If the removal is successful the Key Pair entry's certificate chain will be updated to remove the end certificate.
Import a Key Pair
A Key Pair can be imported from a variety of source formats.Import a Key Pair from PKCS #12
To import a Key Pair from PKCS #12:- From the Tools menu, choose Import Key Pair. Alternatively click on the Import Key Pair tool bar button:
- The Import Key Pair Type dialog will appear.
- Select the PKCS #12 radio button and press the OK button.
- The Import PKCS #12 Key Pair dialog will appear.
- Enter the decryption password for the PKCS #12 file into the Decryption Password field.
- Use the Browse button to select the PKCS #12 key pair file and the Details button to examine your choice.
- If after examination you decide to import the Key Pair press the Import button. Otherwise use the Cancel button to halt the import.
- The New Key Pair Entry Alias dialog will be displayed.
- Enter the alias for the new Key Pair entry and press the OK button.
- If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
- The new Key Pair entry will appear in the KeyStore Entries table.
Import a Key Pair from PKCS #8 and Certificates
To import a Key Pair from PKCS #8 and Certificates:- From the Tools menu, choose Import Key Pair. Alternatively click on the Import Key Pair tool bar button:
- The Import Key Pair Type dialog will appear.
- Select the PKCS #8 radio button and press the OK button.
- The Import PKCS #8 Key Pair dialog will appear.
- If the PKCS #8 private key file is unencrypted then uncheck the Encrypted Private Key check box.
- Alternatively if the PKCS #8 private key file is encrypted enter the decryption password into the Decryption Password field. The supported PBE encryption algorithms for import are:
- PBE with SHA-1 and 2 key DESede
- PBE with SHA-1 and 3 key DESede
- PBE with SHA-1 and 40 bit RC2
- PBE with SHA-1 and 128 bit RC2
- PBE with SHA-1 and 40 bit RC4
- PBE with SHA-1 and 128 bit RC4
- Use the Browse buttons to select private key and certificates files and the Details buttons to examine your choices.
- If after examination you decide to import the Key Pair press the Import button. Otherwise use the Cancel button to halt the import.
- The New Key Pair Entry Alias dialog will be displayed.
- Enter the alias for the new Key Pair entry and press the OK button.
- If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
- The new Key Pair entry will appear in the KeyStore Entries table.
Import a Key Pair from PVK and Certificates
To import a Key Pair from PVK and Certificates:- From the Tools menu, choose Import Key Pair. Alternatively click on the Import Key Pair tool bar button:
- The Import Key Pair Type dialog will appear.
- Select the PVK radio button and press the OK button.
- The Import PVK Key Pair dialog will appear.
- If the PVK private key file is unencrypted then uncheck the Encrypted Private Key check box.
- Alternatively if the PVK private key file is encrypted enter the decryption password into the Decryption Password field.
- Use the Browse buttons to select private key and certificates files and the Details buttons to examine your choices.
- If after examination you decide to import the Key Pair press the Import button. Otherwise use the Cancel button to halt the import.
- The New Key Pair Entry Alias dialog will be displayed.
- Enter the alias for the new Key Pair entry and press the OK button.
- If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
- The new Key Pair entry will appear in the KeyStore Entries table.
Import a Key Pair from OpenSSL and Certificates
To import a Key Pair from OpenSSL and Certificates:- From the Tools menu, choose Import Key Pair. Alternatively click on the Import Key Pair tool bar button:
- The Import Key Pair Type dialog will appear.
- Select the OpenSSL radio button and press the OK button.
- The Import OpenSSL Key Pair dialog will appear.
- If the OpenSSL private key file is unencrypted then uncheck the Encrypted Private Key check box.
- Alternatively if the OpenSSL private key file is encrypted enter the decryption password into the Decryption Password field. The supported PBE encryption algorithms for import are:
- PBE with DES CBC
- PBE with DESede CBC
- PBE with 128 bit AES CBC
- PBE with 192 bit AES CBC
- PBE with 256 bit AES CBC
- Use the Browse buttons to select private key and certificates files and the Details buttons to examine your choices.
- If after examination you decide to import the Key Pair press the Import button. Otherwise use the Cancel button to halt the import.
- The New Key Pair Entry Alias dialog will be displayed.
- Enter the alias for the new Key Pair entry and press the OK button.
- If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
- The new Key Pair entry will appear in the KeyStore Entries table.
Export a Key Pair
Export a Key Pair as PKCS #12
To export a Key Pair as PKCS #12:- Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Key Pair.
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- The Export Key Pair dialog is displayed.
- Enter an PKCS #12 Password to protect the exported PKCS #12 file with and confirm it.
- Use the Browse button to select an Export File.
- Press the Export button to commence the export.
Export a Key Pair's Certificate Chain
To export a Key Pair's certificate chain:- Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Certificate Chain.
- The Export Certificate Chain dialog is displayed.
- Use the Export Length radio buttons to choose whether the Entire Chain of certificates should be exported or the Head Only. The X.509 export format is not available when the entire chain is to be exported.
- Select an Export Format. The options available are:
- X.509 ITU-T standard for public key infrastructure.
- PKCS #7 RSA public key cryptography standard.
- PKI Path Certification path.
- SPC Software Publisher Certificate, Microsoft's certificate format.
- Check the PEM checkbox if the exported certificate is to be PEM encoded. PEM encoding is not available for PKI Path and SPC format exports.
- Use the Browse button to select an export file.
- Press the Export button to commence the export.
Export a Key Pair's Private Key
Export a Key Pair's Private Key as PKCS #8
To export a Key Pair's private key as PKCS #8:- Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Private Key.
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- The Export Private Key Type dialog will appear.
- Select the PKCS #8 radio button and press the OK button.
- The Export Private Key as PKCS #8 dialog is displayed.
- If the exported PKCS #8 private key file is to be unencrypted then uncheck the Encrypt check box.
- Alternatively if the PKCS #8 private key file is to be encrypted select an Encryption Algorithm and enter and confirm an Encryption Password. The supported PBE encryption algorithms for export are:
- PBE with SHA-1 and 2 key DESede
- PBE with SHA-1 and 3 key DESede
- PBE with SHA-1 and 40 bit RC2
- PBE with SHA-1 and 128 bit RC2
- PBE with SHA-1 and 40 bit RC4
- PBE with SHA-1 and 128 bit RC4
- Check the PEM checkbox if the exported private key is to be PEM encoded.
- Use the Browse button to select an export file.
- Press the Export button to commence the export.
Export a Key Pair's Private Key as PVK
To export a Key Pair's private key as PVK:- Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Private Key.
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- The Export Private Key Type dialog will appear.
- Select the PVK radio button and press the OK button.
- The Export Private Key as PVK dialog is displayed.
- Select a Key Type of Exchange or Signature.
- If the exported PVK private key file is to be unencrypted then uncheck the Encrypt check box.
- Alternatively if the PVK private key file is to be encrypted select an Encryption Strength (Strong or Weak) and enter and confirm an Encryption Password.
- Use the Browse button to select an export file.
- Press the Export button to commence the export.
Note: DSA private keys are not suitable for the purposes ofExchange. For the PVK export of DSA Key Pairs the Key Type optionsare disabled and Signature is pre-selected.
Export a Key Pair's Private Key as OpenSSL
To export a Key Pair's private key as OpenSSL:- Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Private Key.
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- The Export Private Key Type dialog will appear.
- Select the OpenSSL radio button and press the OK button.
- The Export Private Key as OpenSSL dialog is displayed.
- If the exported OpenSSL private key file is to be unencrypted then uncheck the Encrypt check box.
- Alternatively if the OpenSSL private key file is to be encrypted select an Encryption Algorithm and enter and confirm an Encryption Password. The supported PBE encryption algorithms for export are:
- PBE with DES CBC
- PBE with DESede CBC
- PBE with 128 bit AES CBC
- PBE with 192 bit AES CBC
- PBE with 256 bit AES CBC
- Check the PEM checkbox if the exported private key is to be PEM encoded. When a private key is to be encrypted it must also be PEM encoded.
- Use the Browse button to select an export file.
- Press the Export button to commence the export.
Export a Key Pair's Public Key as OpenSSL
To export a Key Pair's public key as OpenSSL:Ssh Using Private Key
- Right-click on the Key Pair entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Public Key.
- The Export Public Key as OpenSSL dialog is displayed.
- Check the PEM checkbox if the exported public key is to be PEM encoded.
- Use the Browse button to select an export file.
- Press the Export button to commence the export.
Drag Export a Key Pair
To drag export a Key Pair:- Ensure the Key Pair entry is unlocked.
- Select the Key Pair entry for dragging by pressing and holding the left mouse button over it in the KeyStore entries table.
- Use the mouse to drag the entry to the desired export location. For example: the desktop, a folder or a text editor.
- Release the left mouse button over the export location.
- The entry will be exported. The export format used depends on the export location:
- When exporting as a file the export format is PKCS #12. This is applicable when the entry is dragged to the desktop or to a folder.
- When exporting as text the export is in two parts. The private key is exported as Encrypted PKCS #8 PEM and the certificate chain is exported as PKCS #7 PEM. This is applicable when the entry is dragged to an application that deals with text.
- Exports that are password protected inherit the password of the originating Key Pair entry.
Set a Key Pair's Password
To set a Key Pair entry's password:- Right-click on the Key Pair entry in the KeyStore Entries table. Select Set Password from the pop-up menu.
- The Set Key Pair Entry Password dialog will appear.
- Complete the dialog's fields with the old password, new password and new password confirmation. If the Key Pair Entry is unlocked then the old password field will already be completed.
- Press the OK button to confirm the dialog.
Cut and Paste a Key Pair
To cut and paste a Key Pair:- Click on the Key Pair entry to select it.
- From the Edit menu, choose Cut. Alternatively click on the Cut tool bar button:
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- Select the target KeyStore by clicking on its tab.
- From the Edit menu, choose Paste. Alternatively click on the Paste tool bar button:
- The Key Pair entry will appear in the target KeyStore Entries table. The Key Pair entry's password will remain unchanged.
- KeyStore Explorer has an internal clipboard for cut, copy and paste operations called the buffer. Therefore KeyStore entries cannot be cut or copied from KeyStore Explorer to other applications and vice versa.
Copy and Paste a Key Pair
To copy and paste a Key Pair:- Click on the Key Pair entry to select it.
- From the Edit menu, choose Copy. Alternatively click on the Copy tool bar button:
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- If copying to a different KeyStore select it by clicking on its tab.
- From the Edit menu, choose Paste. Alternatively click on the Paste tool bar button:
- A copy of the Key Pair entry will appear in the target KeyStore Entries table. The Key Pair entry's password will be the same as the original's.
- KeyStore Explorer has an internal clipboard for cut, copy and paste operations called the buffer. Therefore KeyStore entries cannot be cut or copied from KeyStore Explorer to other applications and vice versa.
Delete a Key Pair
To delete a Key Pair:- Right-click on the Key Pair entry in the KeyStore Entries table. Select Delete from the pop-up menu.
- The Key Pair entry will be removed from the KeyStore Entries table.
Rename a Key Pair
To rename a Key Pair:- Right-click on the Key Pair entry in the KeyStore Entries table. Select Rename from the pop-up menu.
- If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
- The New Entry Alias dialog will appear.
- Enter the new alias into the dialog and acknowledge it by pressing the OK button.
- The Key Pair entry will be renamed in the KeyStore Entries table.
Table of Contents
Introduction
SSH can handle authentication using a traditional username and password combination or by using a public and private key pair. The SSH key pair establishes trust between the client and server, thereby removing the need for a password during authentication. While not required, the SSH private key can be encrypted with a passphrase for added security.
The PuTTY SSH client for Microsoft Windows does not share the same key format as the OpenSSH client. Therefore, it is necessary to create a new SSH public and private key using the PuTTYgen tool or convert an existing OpenSSH private key.
Requirements
- PuTTY SSH client for Microsoft Windows
- Remote server accessible over OpenSSH
Install PuTTY and PuTTYgen
Both PuTTY and PuTTYgen are required to convert OpenSSH keys and to connect to the server over SSH. These two tools can be downloaded individually or, preferably, as a Windows installer from the PuTTY Download Page.
Once the PuTTY Windows installer is downloaded, double-click the executable in the Download folder and follow the installation wizard. The default settings are suitable for most installations. Both PuTTY and PuTTYgen should now be accessible from the Windows Programs list.
Use Existing Public and Private Keys
If you have an existing OpenSSH public and private key, copy the id_rsa
key to your Windows desktop. This can be done by copying and pasting the contents of the file or using an SCP client such as PSCP which is supplied with the PuTTY install or FileZilla.
Next launch PuTTYgen from the Windows Programs list.
- Click
Conversions
from the PuTTY Key Generator menu and selectImport key
. - Navigate to the OpenSSH private key and click
Open
. - Under
Actions
/Save the generated key
, selectSave private key
. - Choose an optional passphrase to protect the private key.
- Save the private key to the desktop as
id_rsa.ppk
.
If the public key is already appended to the authorized_keys
file on the remote SSH server, then proceed to Connect to Server with Private Key.
Otherwise, proceed to Copy Public Key to Server.
Create New Public and Private Keys
Launch PuTTYgen from the Windows Programs list and proceed with the following steps.
- Under
Parameters
, increase theNumber of bits in a generated key:
to a minimum value of 2048. - Under
Actions
/Generate a public/private key pair
, clickGenerate
. - You will be instructed to move the mouse cursor around within the PuTTY Key Generator window as a randomizer to generate the private key.
- Once the key information appears, click
Save private key
underActions
/Save the generated key
. - Save the private key to the desktop as
id_rsa.ppk
. - The box under
Key
/Public key for pasting into OpenSSH authorized_keys file:
contains the public key.
Copy Public Key to Server
The OpenSSH public key is located in the box under Key
/ Public key for pasting info OpenSSH authorized_keys file:
. The public key begins with ssh-rsa followed by a string of characters.
- Highlight entire public key within the PuTTY Key Generator and copy the text.
- Launch PuTTY and log into the remote server with your existing user credentials.
Use your preferred text editor to create and/or open the
authorized_keys
file:Paste the public key into the
authorized_keys
file.Save the file and close the text editor.
Adjust the permissions of the
authorized_keys
file so that the file does not allow group writable permissions.Logout of the remote server.
Connect to Server with Private Key
Now it is time to test SSH key authentication. The PuTTYgen tool can be closed and PuTTY launched again.
- Enter the remote server Host Name or IP address under
Session
. - Navigate to
Connection
>SSH
>Auth
. - Click
Browse...
underAuthentication parameters
/Private key file for authentication
. - Locate the
id_rsa.ppk
private key and clickOpen
. - Finally, click
Open
again to log into the remote server with key pair authentication.