Skip to main content
Version: 7.2405.x.x LTS

Password handling for private keys

Passwords used to protect private keys of soft certificates, or needed to log in to an HSM (hardware security module), usually need to be automatically available for re-initialization purposes or at host boot time. The following sections explain how to realize this.

HSMs

For HSMs, you need to configure the mechanism to get the password in the PKCS#11 URL ").

  • pinenv: Specifies the name of the environment variable that contains the pin used to log in to the PKCS#11 token. Environment variables are specified in the file env.conf.
  • pinfile: Specifies the file name containing the PIN used to log in to the PKCS#11 token.

Soft certificates

For soft certificates, you set the mechanism to get the password in the bc property bc.security.PassPhrasePolicy. See also chapter "Password handling for private keys".

The property bc.security.PassPhrasePolicy can have one or more of the following, comma-separated values:

  • "pipe": Executes the command set in the bc property bc.security.PassPhraseDialog.
  • "env": The package uses a prefetching mechanism and passes the passphrases via "env". The section "" explains how the name of the environment variable must look like.
  • "prompt": The passphrases are read from the controlling terminal (if possible).

If more than one passphrase policy is configured, the system will take the first one that delivers a valid password.

Considerations to the passphrase policy "env"

The environment variable "env" is a SHA1 hash of the certificate path, prefixed by "pp_". It may be generated as follows:

echo -n <filename> | /opt/nevisproxy/bin/openssl sha1 | awk '{ print "pp_" $2 }'

Usually, once the environment variable has been read, it will be removed. This may cause problems if the password is required more than once, for example, on a restart or for dynamic certificates. To avoid this, you can use the property bc.security.pinenv. This property can be configured to one of those values:

  • "keep": Keeps the password as is in the defined environment variable.
  • "obfuscate": Keeps an obfuscated value in the environment variable