SSH Key Pair Generation Guide
USP uses SSH key pairs for authentication in multiple parts of its configuration. While most uses of SSH keys are optional and depend on your configuration choices, one scenario always requires SSH keys: establishing secure tunnels between USP Clients and USP Servers.
This guide is divided into two parts:
- Generating SSH Key Pairs (General Instructions): a standalone guide to generating SSH key pairs using
ssh-keygen, which can be applied to any context. - Generating SSH Keys for USP Tunnels: focuses specifically on generating the two required key pairs used to establish secure tunnels between USP Clients and USP Servers.
For a deeper explanation of how SSH keys are used in USP and where they appear in the configuration, refer to Keys.
Generating SSH Key Pairs (General Instructions)
SSH key pairs consist of:
- A private key, which must be kept secure
- A public key, which is shared with remote systems for authentication
To generate a key pair using the ssh-keygen tool:
1. Create a Directory for Your Keys
mkdir -p ./ssh_keys
This ensures that all key files are organized in one location.
2. Generate a New SSH Key Pair
ssh-keygen \
-t rsa \
-b 2048 \
-m PEM \
-f ./ssh_keys/my_ssh_key
Command Breakdown:
-t rsa: Generates an RSA key-b 2048: Uses a 2048-bit key length-m PEM: Exports the private key in PEM format (required for USP)-f: Specifies the output filename (no extension)
This will produce:
my_ssh_key: the private key (PEM format)my_ssh_key.pub: the corresponding public key (OpenSSH format)
Repeat this process as needed for any additional key pairs you require.
Generating SSH Keys for USP Tunnels
In USP, SSH tunnels between USP Clients and UP Servers are mandatory when operating across network boundaries (e.g., from LAN to DMZ). To support this, you must generate two distinct key pairs:
1. USP Server Key Pair
This key pair identifies the USP Server Tunnel as an SSH server to USP Clients.
ssh-keygen \
-t rsa \
-b 2048 \
-m PEM \
-f ./ssh_keys/usp-tunnel-key
This will produce:
usp-tunnel-key: Private key used by the USP Server Tunnel.usp-tunnel-key.pub: Public key shared with USP Clients to verify server identity.
2. USP Client Key Pair
This key pair allows the USP Client to authenticate itself to the USP Server Tunnel.
ssh-keygen \
-t rsa \
-b 2048 \
-m PEM \
-f ./ssh_keys/usp-client-1-key
This will produce:
usp-client-1-key: Private key used by the USP Client during SSH connection.usp-client-1-key.pub: Public key registered in the USP Manager as the Client's public identity.
Summary of Files
| Key ID | File | Purpose | Configuration Location |
|---|---|---|---|
| 1-A | usp-tunnel-key.pub | Configured in the USP Client to verify the USP Server identity. | In the tunnel.host_key field in the USP Client's .hcl file. |
| 1-B | usp-tunnel-key | Used to prove the USP Server's identity. | In the Tunnel's Private Key field. |
| 2-A | usp-client-1-key.pub | Shared with the USP Server to authorize the USP Client. | In the Proxy Client's Public Key field. |
| 2-B | usp-client-1-key | USP Client's private key for SSH authentication. | In the key field in the USP Client's .hcl file. |
Additionally, as shown in the diagram under ID 3, the name value defined in the USP Client's .hcl configuration must match the Name of the corresponding Proxy Client in the USP Server configuration. This is how the USP Server identifies which key to use for authentication.