To configure the client to authenticate itself with an X.509 certificate, perform the following tasks:
Enroll a certificate for yourself.
Example: Enrollment using ssh-cmpclient-g3
$ ssh-cmpclient-g3 INITIALIZE -P generate://ssh2:passphrase@rsa:512/user_rsa -o /home/user/.ssh2/user_rsa -p 62154:ssh -s 'C=FI,O=SSH,CN=user;email=user@example.org' http://pki.ssh.com:8080/pkix/ 'C=FI, O=SSH Communications Security Corp, CN=Secure Shell Test CA'
Remember to define also the SOCKS server (-S
) before
the CA URL, if required.
For more information on the ssh-cmpclient-g3
syntax, see
ssh-cmpclient-g3(1).
(Optional) Create an identification file.
Specify the private key of
your software certificate in the $HOME/.ssh2/identification
file (the CertKey
option works identically with the
IdKey
option):
CertKey user_rsa
The certificate itself will be read from user_rsa.crt
.
For more information on the syntax of the identification file, see
$HOME/.ssh2/identification
.
Place your keys and certificates in a directory where the Connection Broker can locate them.
With SSH Tectia Client 5.x, using the identification
file is not
necessary if all your keys are stored in the default directory and you allow
all of them to be used for public-key and/or certificate authentication. If
the identification
file does not exist, the Connection Broker attempts to
use each key found in the $HOME/.ssh2
directory. If the
identification
file exists, the keys listed in it are attempted
first.
You can also use the key-store
element in the
ssh-broker-config.xml
file for defining locations for keys and
certificates. See the section called “Key Store Configuration Examples”.
Make sure that public-key authentication is enabled in the
ssh-broker-config.xml
file.
<authentication-methods> <authentication-method name="publickey" /> ... </authentication-methods>
Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.