Skip to main content

Private Keys

Private Keys are cryptographic credentials used to establish secure, authenticated SSH connections within USP. They are used throughout USP to support different parts of the connection flow and work in conjunction with Public Keys to enable authentication.

info

For more information on where and how Private Keys are used, refer to How USP Uses Keys.

Before You Begin

Using Hardware Security Modules (HSMs)

Private Keys in USP can be stored in two ways:

  • Locally, where the credential content is uploaded and securely stored by USP Manager.
  • Externally, in a Hardware Security Module (HSM), where the key never leaves the physical device.

An HSM is a dedicated cryptographic device that stores and protects keys within a tamper-resistant environment.

When a Private Key is stored in an HSM, its content remains inside the hardware, and all cryptographic operation, such as signing during SSH handshakes, are performed within the device. The USP Server never has direct access to the raw key data.

USP communicates with HSMs through the PKCS#11 interface using the configuration defined in the HSM Connection. That connection specifies the library path, token identifiers, authentication PIN, and other details required for USP Server to access the HSM.

Private Key Administration via USP Admin UI

Adding a Private Key

To add a Private Key, follow these steps:

  1. From the Sidebar, click Authentication > Keys.
  2. Click Private Key.
  3. Click Add Private Key.
  4. Complete the details for the new Private Key using the Field Descriptions table as a guide.
    warning

    Once saved, the Private Key content cannot be viewed again.

  5. Click Save.

Field Descriptions

NameDescriptionSpecificationsRequired
NameThe name of the Private Key.
  • Must be unique.
  • Must follow the Standard Naming Pattern.
Yes
DescriptionThe description of the Private Key.No
Store Private Key in HSMWhen enabled, keys are managed through a preconfigured HSM Connection.Yes

HSM Private Key ID

The unique identifier for the certificate or key in hexadecimal format (CKA_ID). For example, 4A4B4 or 0x4A4B4C.Yes, if Store Private Key in HSM is enabled.

HSM Private Key Label

The human-readable name assigned to the certificate or key inside the HSM (CKA_LABEL). The label is used to identify the object (e.g., TLS-Key-Prod).Yes, if Store Private Key in HSM is enabled.
KeyThe Private Key content.Must be in PEM format.Yes, if Store Private Key in HSM is disabled.

Editing a Private Key

To edit a Private Key, follow these steps:

  1. From the Sidebar, click Authentication > Keys.
  2. Click Private Key.
  3. Click the row of the Private Key you want to edit.
  4. Click the Edit button above the Private Key details.
  5. Edit the details of the Private Key using the Field Descriptions table as a guide.
    info

    The Private Key field appears empty, but the key remains stored unless deliberately overwritten.

  6. Click Save.
warning

If you modify a Private Key that is currently in use by a USP Server instance, the changes will not take effect until you manually apply the updated configuration by pushing it to the server. To apply the changes:

  1. Navigate to Monitoring > Status.
  2. Click the Name of the associated USP Server instance.
  3. Go to the Configuration tab.
  4. Review the pending changes in the Updated Configuration column.
  5. If the changes are correct, click Push Configuration.

Private Key Metadata

NameDescription
IDUniversally Unique Identifier of this Private Key.
EnabledA Boolean value indicating the status of the Private Key. The only possible value is true.
Created AtDate and time this Private Key was created.
Updated AtDate and time this Private Key was last updated.

Deleting a Private Key

To delete a Private Key, follow these steps:

  1. From the Sidebar, click Authentication > Keys.
  2. Click Private Key.
  3. Click the row of the Private Key you want to delete.
  4. Click the Delete button above the Private Key details.
  5. You will be asked to confirm the deletion. Click Delete.
warning

USP Manager prevents deletion of a Private Key if it is currently referenced by a Configuration Item.

Additionally, if the Private Key is used by a USP Server instance, the updated configuration must be manually applied. To apply the changes:

  1. Navigate to Monitoring > Status.
  2. Click the Name of the associated USP Server instance.
  3. Go to the Configuration tab.
  4. Review the pending changes in the Candidate Configuration - Preview section.
  5. If the changes are correct, click Push Configuration.

The changes do not take effect on the server until this step is completed.