Examples
The following ssh-cmpclient examples use pki.ssh.com
(http://pki.ssh.com/), a free
test PKI interoperability site maintained by SSH Communications
Security. You can try the commands "as is" for enrolling certificates to
your server. If you are behind a company firewall, you may need to
provide a complete SOCKS server URL to ssh-cmpclient with
the -S option (for example, -S http://fw.yourdomain.com:1080).
Initial Certificate Enrollment
This example provides commands for enrolling an initial certificate for
digital signature use from the pki.ssh.com interoperability
site. It generates a private key into a PKCS #8 plaintext file named
initial.prv, and stores the enrolled certificate into file
initial-0.crt. The user is authenticated to the CA with the key
identifier (refnum) 62154 and the key ssh. The subject
name and alternative IP address are given, as well as key-usage flags.
The CA address is pki.ssh.com, the port 8080, and the CA name
to access Test CA 1.
$ ssh-cmpclient INITIALIZE \
-P generate://pkcs8@rsa:1024/initial -o initial \
-p 62154:ssh \
-s 'C=FI,O=SSH,CN=Example/initial;IP=1.2.3.4' \
-u digitalsignature \
http://pki.ssh.com:8080/pkix/ \
'C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities'
|
As a response the command presents the issued certificate to the
user, and the user accepts it by typing yes at the prompt.
Certificate =
SubjectName = <C=FI, O=SSH, CN=Example/initial>
IssuerName = <C=FI, O=SSH Communications Security Corp,
CN=SSH Test CA 1 No Liabilities>
SerialNumber= 8017690
SignatureAlgorithm = rsa-pkcs1-sha1
Validity = ...
PublicKeyInfo = ...
Extensions =
Viewing specific name types = IP = 1.2.3.4
KeyUsage = DigitalSignature
CRLDistributionPoints = ...
AuthorityKeyID =
KeyID = 3d:cb:be:20:64:49:16:1d:88:b7:98:67:93:f0:5d:42:81:2e:bd:0c
SubjectKeyID =
KeyId = 6c:f4:0e:ba:b9:ef:44:37:db:ad:1f:fc:46:e0:25:9f:c8:ce:cb:da
Fingerprints =
MD5 = b7:6d:5b:4d:e0:94:d1:1f:ec:ca:c2:ed:68:ac:bf:56
SHA-1 = 4f:de:73:db:ff:e8:7d:42:c4:7d:e1:79:1f:20:43:71:2f:81:ff:fa
Do you accept the certificate above? yes
|
Key update
Before the certificate expires, a new certificate with updated validity
period should be enrolled. ssh-cmpclient supports key update,
where new private key is generated and the key update request is
authenticated with the old (still valid) certificate. The old
certificate is also used as a template for issuing the new certificate,
so the identity of the user will not be changed during the key update.
With the following command you can update the key pair, which was
enrolled in the previous example. Presenting the result certificate has
been left out.
$ ssh-cmpclient UPDATE \
-k initial.prv -c initial-0.crt -P \
generate://pkcs8@rsa:1024/updatedcert -o updatedcert \
http://pki.ssh.com:8080/pkix/ \
"C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities"
|
The new key pair can be found in the files with the updatedcert
prefix. The policy of the issuing CA needs to also allow automatic key
updates if ssh-cmpclient is used in the UPDATE mode.
The pki.ssh.com test site, powered by SSH Tectia Certifier, is
configured to allow automatic update of keys based on certificates
issued earlier.
