To configure the client to authenticate itself with an X.509 certificate, perform the following tasks:
Enroll a certificate for yourself.
Example: Enrollment using ssh-cmpclient
$ ssh-cmpclient INITIALIZE \ -P generate://ssh2:passphrase@rsa:512/user_rsa \ -o /home/user/.ssh2/user_rsa \ -p 62154:ssh \ -s 'C=FI,O=SSH,CN=user;email=user@example.org' \ http://pki.ssh.com:8080/pkix/ \ 'C=FI, O=SSH Communications Security Corp, CN=Secure Shell Test CA'
Remember to define also the SOCKS server (-S
) before
the CA URL, if required.
For more information on the ssh-cmpclient
syntax, see
ssh-cmpclient-g3(1).
Make sure that public-key authentication is enabled in the
ssh-broker-config.xml
file.
<authentication-methods> ... <authentication-method name="publickey" /> ... </authentication-methods>
Specify the private key of your software certificate in the
$HOME/.ssh2/identification
file.
CertKey private-key-path
The certificate itself will be read from private-key-path.crt
.
With SSH Tectia Client 5.x, using the identification
file
is not necessary if all your keys are stored in the default directory
and you allow all of them to be used for public-key and/or certificate
authentication. If the identification
file does not exist,
the Connection Broker attempts to use each key found in the $HOME/.ssh2
directory.