Keys consist of text files. It is therefore possible, in principle, to enter these files into the local system using the resources made available by the operating system (i.e. "manually") and copy them to the location where openFT expects to find the keys. However, this method is time-consuming and liable to errors and, in addition, special administrator rights would be needed on certain systems.

openFT therefore provides a number of built-in functions that can be used to import the following keys.

• Public keys of partner instances. These keys must have been generated by the partner's openFT instance.

• Private keys that were generated with an external tool (i.e. not via openFT). When importing a private key, openFT generates the associated public key. This key can be used in the same way as a key generated with openFT and distributed to partner systems.

Compared with the manual method, the import functions have the advantage that the keys (including newly created keys) are immediately present at the correct location in the local system.

Key formats

openFT supports key files in the following formats:

• PEM format (native PEM)

  The PEM-coded files must be present in EBCDIC format.

• PKCS#8 format encrypted without password phrase or after v1/v2 with password phrase (PEM-coded).

• PKCS#12 v1 format in the form of a binary file. The file is searched for a private key and any non-supported elements (e.g. certificates, CRLs) are ignored during the import. If the certificate is protected by a signature or hash then openFT does not perform a validity check. The validity of the file must be verified using other means. The first private key that is found in the file is imported. Any others are ignored.

The password phrase used for encryption must be specified in the password parameter when performing the import.