Specifications
Using Certificates with the Xcel SSL Accelerator Card
Equalizer Installation and Administration Guide 181
If your Equalizer has an Xcel SSL Accelerator Card installed, a check box labelled use secure key
storage will appear on the install SSL certificate screen, as shown below.
Checking this box tells Equalizer to store your private key in write-only memory on the Xcel card
so that no one can access it.
The Xcel card provides 128 kilobits of memory for private keys. This will hold up to 32 four-kilobit
(4096-bit) keys, 64 two-kilobit (2048-bit) keys, or 128 one-kilobit (1024-bit) keys. The key length
used for private keys to be stored on an older Xcel I card must be a multiple of 8.
Note that if you install the Xcel card in an Equalizer that already has HTTPS clusters with
certificates defined, you must delete the HTTPS clusters and add them again in order to store the
private keys on the Xcel card in SKS.
Clearing Secure Key Storage
Over time, it is possible for the SKS memory on Xcel to become full. When SKS is full, the
following error is returned when you try to add another key (or replace an existing key):
Call to 'cert2sks' failed.
Error initializing RSA material
Using stdin
Could not allocate RSA key (N8_NO_MORE_RESOURCE).
Died at /usr/local/sbin/cert2sks line 286.
When this happens, you can do one of two things:
Caution – If you do not check this box (or you do not have an Xcel card), your key is kept on
Equalizer (in the directory /var/eq/ssl) and will be accessible to anyone who can log into
Equalizer. It is therefore essential that you restrict the ability of non-authorized personnel to
access Equalizer, since any user can log in and copy or remove your private key. All Equalizer
logins should be password protected with non-trivial passwords to restrict access to your private
keys, and passwords should be given only to trusted personnel.