Skip to main content

Private Keys

Private Keys are cryptographic credentials used to establish secure, authenticated SSH connections within USP. They are used throughout USP to support different parts of the connection flow and work in conjunction with Public Keys to enable authentication.

In the context of USP and the proxy process, private keys are used in the following places to assert identity during SSH handshakes:

Private Key LocationPurposeCounterpart (Public Key Location)
Inbound NodePrivate key used by the USP Server to assert its identity to external clients during the SSH handshake.Public Key is stored and trusted by the external client (e.g., in known hosts).
External Incoming Connection (not in USP)Private key used by an external client to authenticate to the USP Server when a Rule requires public key authentication using an Account Repository.Public Key is configured in the associated Account.
TunnelPrivate key used by the USP Server to assert its identity to the USP Client during the SSH handshake.Public Key is referenced in the USP Client's .hcl config under tunnel.host_key.
USP ClientPrivate key used by the USP Client to authenticate to the USP Server's Tunnel.Public Key is registered in the Proxy Client configuration (as its Public Key).
RulePrivate key used by the USP Server to authenticate to internal targets when using dedicated outbound credentials.Public Key must be known and trusted by the internal target system.
info

For more information on where and how Private Keys are used, refer to Keys.

Private Key Administration via USP Admin UI

Adding a Private Key

To add a Private Key, follow these steps:

  1. From the Sidebar, click Authentication > Keys.
  2. Click Private Key.
  3. Click Add Private Key.
  4. Complete the details for the new Private Key using the Field Descriptions table as a guide.
warning

Once saved, the Private Key content cannot be viewed again.

  1. Click Save.

Field Descriptions

NameDescriptionSpecificationsRequired
NameThe name of the Private Key.
  • Must be unique.
  • Must follow the Standard Naming Pattern.
Yes
DescriptionThe description of the Private Key.No
KeyThe Private Key content.Must be in PEM format.Yes

Editing a Private Key

To edit a Private Key, follow these steps:

  1. From the Sidebar, click Authentication > Keys.
  2. Click Private Key.
  3. Click the Name of the Private Key you want to edit.
  4. Click the Edit button above the Private Key details.
  5. Edit the details of the Private Key using the Field Descriptions table as a guide.
info

The Private Key field appears empty, but the key remains stored unless deliberately overwritten.

  1. Click Save.
warning

If you modify a Private Key that is currently in use by a USP Server instance, the changes will not take effect until you manually apply the updated configuration by pushing it to the server. To apply the changes:

  1. Navigate to Monitoring > Status.
  2. Click the Name of the associated USP Server instance.
  3. Go to the Configuration tab.
  4. Review the pending changes in the Updated Configuration column.
  5. If the changes are correct, click Push Configuration.

Private Key Metadata

NameDescription
IDUniversally Unique Identifier of this Private Key.
EnabledA Boolean value indicating the status of the Private Key. The only possible value is true.
Created AtDate and time this Private Key was created.
Updated AtDate and time this Private Key was last updated.

Deleting a Private Key

To delete a Private Key, follow these steps:

  1. From the Sidebar, click Authentication > Keys.
  2. Click Private Key.
  3. Click the Name of the Private Key you want to delete.
  4. Click the Delete button above the Private Key details.
  5. You will be asked to confirm the deletion. Click Delete.
warning

USP Manager prevents deletion of a Private Key if it is currently referenced by a Configuration Item.

Additionally, if the Private Key is used by a USP Server instance, the updated configuration must be manually applied. To apply the changes:

  1. Navigate to Monitoring > Status.
  2. Click the Name of the associated USP Server instance.
  3. Go to the Configuration tab.
  4. Review the pending changes in the Candidate Configuration - Preview section.
  5. If the changes are correct, click Push Configuration.

The changes do not take effect on the server until this step is completed.