Validate The Digital Signature - Cisco ASR 5000 Series Administration Manual
Staros release 21.4
Hide thumbs
Also See for ASR 5000 Series:
- Product overview (992 pages) ,
- Installation manual (317 pages) ,
- Administration manual (234 pages)
Table of Contents
Advertisement
Secure System Configuration File
Generating the Public and Private Keys
The RSA public key is stored in PEM format (.pem file), and can be generated using one of the following
OpenSSL commands in the example below:
openssl rsa -in pri_key.pem - pubout -out pub_key.pem
–-or--
openssl rsa -in pri_key.pem -RSAPublicKey_out -out pub_key.pem
An RSA private key in PEM format can be generated using the OpenSSL command in the following example:
openssl genrsa -out pri_key.pem 2048
For more information on the openssl rsa and openssl genrsa commands, refer their respective OpenSSL
manual pages.
Validate the Digital Signature
When signature verification is enabled, validation of the digital signature occurs when the system boots up
and loads the configuration file (or any time when the config file is loaded). The system determines if signature
verification is enabled (or disabled) by looking for the .enable_cfg_pubkey file in the secure directory. For
more information, refer
The system validates the signed configuration file using the following steps:
1 Extract the RSA public signing key from the flash.
2 Extract the configuration file's digital signature (the first line).
3 Convert the signature from base64 to binary format.
4 Decrypt the signature using the RSA public key.
5 Calculate the SHA512 hash for the plain config file resulting in a message digest.
6 Compare the decrypted signature value and newly calculated message digest. If they match, the configuration
file is successfully validated.
Configuring Signature Verification
Import RSA Public Key for Verification
To verify the signed configuration file, an RSA public key (in PEM format) must be imported. Use the
following command to import the RSA public key:
Important
cfg-security import public-key url url_address
Notes:
• Any existing .pem file will be replaced with the new .pem file when the command is executed.
• url_address may refer to a local or a remote file, and must be entered using the following format:
Enable or Disable Signature Verification, on page
This command can only be executed from the console.
[file:]{/flash | /usb1 | /hd-raid | /sftp}[/directory]/filename
ASR 5500 System Administration Guide, StarOS Release 21.4
Validate the Digital Signature
118.
117
Advertisement
Table of Contents
Troubleshooting
