cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How can I delete expired and unused SSL encryption keys from our AMD?

jwarren
Participant
 
5 REPLIES 5

chris_v
Dynatrace Pro
Dynatrace Pro

It's a manual process.

Unless you're using a HSM (Hardware Security Module, aka hardware SSL accelerator), the keys will be stored on disk in the:

/usr/adlex/config/keys folder

use the rcon command

show ssldecr keys

It'll list which keys are loaded, and show which ones are actually being used for traffic, you can then remove the keys from the keylist file and then delete the keys from disk.

If you are using a HSM, you should follow the instructions with the card, as each card has it's own command line tools for key management.

Thanks for your quick response Chris! Unfortunately I'm a DCRUM newb and forgot to mention that we're using an nCipher HSM.

I've found multiple examples of how to load a key and have done that successfully but have been unable to find anything related to the card. I'll hit up our company reps and see if anyone can more info.

Thanks again for your help.

Hi Jc W,

As Chris said it's manual process and the following are what I've done in our environment.


  1. make a backup for /usr/adlex/config/keys/whateverSSL.pem.bak (in case there is any issue)
  2. copy the new whateverSSL.pem and replace the old whateverSSL.pem. (I've used this step due to some constraint and lazy to make changes in the key list)
  3. restart the amd services by ndstop & ndstart,
  4. Once the execute the show ssldecr keys and found no issue then proceed
rm -rf /usr/adlex/config/keys/whateverSSL.pem.bak 

voila, finish.

Hope this help, from newbie to newbie 🙂

adam_piotrowicz
Dynatrace Pro
Dynatrace Pro

I'm not sure if there is an option to delete some keys.

It looks like you can only destroy entire security world, create it again ad add only good keys ...

antoine_buffoto
Dynatrace Helper
Dynatrace Helper

Hi,

Using a nCipher SSL card, when you import a SSL key, the tool creates a file "key_pkcs11_*" in the folder "/opt/nfast/kmdata/local"

See example of output:

Key successfully imported.

Path to key:
/opt/nfast/kmdata/local/key_pkcs11_uced028e5251b7b6891e7e59dec5428d871f92241b-c70e6451e8d793ca80a497267ccb9bc73bd55edb

I would say deleting the good "key_pkcs11_*" file will make the card not to use the related ssl private key stored in the nCipher SSL card.