The operator can sign the configuration file using the following steps:

1. Perform an SHA512 hash on the configuration file to create a message digest.

   Example (Linux/OpenSSL):

   openssl dgst -sha512 -binary -out digest cfg_file 

2. Create a digital signature by encrypting the message digest value with the RSA private key.

   Example (Linux/OpenSSL):

   openssl pkeyutl -sign -in digest -inkey pri_key.pem -out sig \ 
   -pkeyopt digest:sha512 -pkeyopt rsa_padding_mode:pss \ 
   -pkeyopt rsa_pss_saltlen:-2
    

3. Convert the digital signature to a base64 format (A ‘#’ is added at the beginning, and a new line at the end).

   Example (Linux/OpenSSL):

   echo -n “#” > sig_base64 
   base64 sig -w 0 >> sig_base64 
   echo “” >> sig_base64
    

4. Append the original configuration file with the digital signature.

   Example (Linux/OpenSSL):

   cat sig_base64 cfg_file > signed_cfg_file 

Generating the Public and Private Keys

The RSA public key is stored in PEM format (.pem file), and can be generated using one of the following OpenSSL commands in the example below:

openssl rsa -in pri_key.pem - pubout -out pub_key.pem 
–-or-- 
openssl rsa -in pri_key.pem -RSAPublicKey_out -out pub_key.pem 

An RSA private key in PEM format can be generated using the OpenSSL command in the following example:

openssl genrsa -out pri_key.pem 2048 

For more information on the openssl rsa and openssl genrsa commands, refer their respective OpenSSL manual pages.

When signature verification is enabled, validation of the digital signature occurs when the system boots up and loads the configuration file (or any time when the config file is loaded). The system determines if signature verification is enabled (or disabled) by looking for the .enable_cfg_pubkey file in the secure directory. For more information, refer Enable or Disable Signature Verification.

The system validates the signed configuration file using the following steps:

1. Extract the RSA public signing key from the flash.

2. Extract the configuration file’s digital signature (the first line).

3. Convert the signature from base64 to binary format.

4. Decrypt the signature using the RSA public key.

5. Calculate the SHA512 hash for the plain config file resulting in a message digest.

6. Compare the decrypted signature value and newly calculated message digest. If they match, the configuration file is successfully validated.

To verify the signed configuration file, an RSA public key (in PEM format) must be imported. Use the following command to import the RSA public key:

Important

This command can only be executed from the console.

cfg-security import public-key url url_address 

Notes:

• Any existing .pem file will be replaced with the new .pem file when the command is executed.

• url_address may refer to a local or a remote file, and must be entered using the following format:

  [file:]{/flash | /usb1 | /hd-raid | /sftp}[/directory]/filename

  tftp://host[:port][/<directory>]/filename

  ftp://[username[:password]@]host[:port][/directory]/filename

  sftp://[username[:password]@]host[:port][/directory]/filename

  http://[username[:password]@]host[:port][/directory]/filename

  https://[username[:password]@]host[:port][/directory]/filename

Use the following command to enable (or disable) signature verification in the configuration file:

Important

This command can only be executed from the console.

[ no ] cfg-security sign 

Notes:

• Enabling signature verification (cfg-security sign command) will create an empty file named .enable_cfg_pubkey in the same directory where the PEM file exists.

• Use the no cfg-security sign command to disable verification of signature in the configuration file. Disabling signature verification (no cfg-security sign command) will remove the .enable_cfg_pubkey file.

• The system looks for the .enable_cfg_pubkey file to determine if signature verification is enabled or disabled.