Note on usage
Function: Import RSA key
User group: FT administrator
Functional description
You can use the command ftimpk (import key) as FT administrator to import a partner's public key or an RSA key pair from a file. The file is made available by the party that generated the key/RSA key pair. On import, the partner key or RSA key pair is saved at the "correct" location in the openFT instance directory and can then be used for authentication.
Importing public keys of a partner
If you want to import the public key of a partner then this partner must be entered in the partner list. The key is stored in the syskey subdirectory with the partner ID as file name.
Importing RSA key pairs
You can import an RSA key pair consisting of a public and a private key. The key pair can be used like a key generated by openFT for data encryption and authentication.
The key pair can have been generated using an external tool. Keys must have the length 768, 1024, 2048, 3072 or 4096 bit. The keys may be present in PEM format (native PEM or PKCS#8 format without password phrase or, after v1 / v2, with password phrase) or in PKCS#12 V1.0 format.
If the key pair demands a password phrase (password) then this must be specified during the import.
During import, the same applies as for key pairs generated with ftcrek:
The key pair contains a unique reference number.
The public key is stored under the name syspkf.r<key-reference>.l<key-length> in the config directory of the openFT instance's instance file tree.
See also the manual "openFT (Unix and Windows systems) - Installation and Operation".
Format
ftimpk -h |
[ -pr=<file name 1..512> ]
[ -pu=<file name 1..512>]
[ -p=<password 1..64> | -p= ]
[ -p12 ]
Description
-h
Outputs the command syntax on screen. Any specifications after -h are ignored.
-pr=file name (private)
indicates that a private and public key are to be imported. file name is the absolute or relative path name of the file containing the two keys.
-pu=file-name (public)
indicates that only a public key is to be imported. file name is the absolute or relative path name of the file containing the key.
You must always specify either -pr or -pu!
-p=password | -p=
Specifies the password if the key or keys is (are) password-protected.
No password specified
If you specify -p= without a password, the password is queried on screen after the command has been sent. The entry you make is not displayed, in order to prevent unauthorized persons from seeing the password.
-p not specified
The key(s) is/are not password-protected, default value.
-p12
The key file contains a certificate and a private key in accordance with the standard PKCS#12 V1.0. The file is searched for a private key and any non-supported elements (e.g. certificates, CRLs) are ignored during the import. The first private key that is found in the file is imported. Any others are ignored.
If the certificate is protected by a signature or hash then openFT does not perform a validity check. The validity of the file must be verified using other means.
-p12 not specified
The private key is not present in PEM format, default value.
Examples
You want to import the public key from the file clientkey1 (without a password).
ftimpk -pu=clientkey1You want to import an RSA key in PEM format that was generated using a tool from the file rsakeys20170303. The keys are protected by a password which you must enter invisibly (hidden) at the screen.
ftimpk -pr=rsakeys20170303 -p=