Skip to main content

Managing Public Keys

Some functions require credentials to access third-party apps. These credentials are always encrypted at rest and in transit using FIPS 186-5 approved algorithms. To enable this, you must provide a public RSA encryption key to the Istari service. Only agents configured with the matching private key can decrypt these credentials.

Setting up RSA Encryption Keys

To properly configure your RSA key follow these steps:

  1. Generate an RSA Key Pair. See the section below on generating RSA key pairs.
  2. On the agent machine configure the path to your private key using the istari_agent_private_key_path configuration variable. See the section on Agent Configuration for more information.
  3. Register the public key with Istari. This gives you and other users access to the encryption key from the Istari web interface or the Istari SDK. To register:
    • Navigate to the Istari Digital admin page. Select the link to the public key management page
    • Upload your public key file in .pem format.
    • If using the Istari SDK you can register the key using the create_tenant_public_key method.

The Istari Platform allows you to add only one public RSA key for your organization. If multiple agents need private keys make sure they use the same private key.

Generating an RSA Key Pair

info

Important: The public key must be in PKCS #1 PEM format. You can verify this by checking that your public key file starts with: -----BEGIN RSA PUBLIC KEY-----

Step 1: Generate a 2048-bit Private Key (PKCS #1 PEM)

openssl genrsa -out private.pem 2048

Step 2: Derive the Matching Public Key (PKCS #1 PEM)

openssl rsa -in private.pem -pubout -outform PEM -RSAPublicKey_out -out public.pem

  • Note: Do not use the SSH format or PKCS #8 format. Only PKCS #1 PEM is supported.

Step 3: Verify the Public Key Format

Open public.pem and ensure it starts with:

-----BEGIN RSA PUBLIC KEY-----

Summary

  • Always use PKCS #1 PEM format for your public key.
  • Verify your public key file starts with -----BEGIN RSA PUBLIC KEY-----.
  • Publish your public key before attempting to delegate credentials to an agent.
  • Keep your private key secure and only install it on trusted agents machines.