To configure the client to authenticate itself with an X.509 certificate, perform the following tasks:
Enroll a certificate for yourself. This can be done, for example, with the ssh-cmpclient-g3 or ssh-scepclient-g3 command-line tools.
Example: Key generation and enrollment using ssh-cmpclient-g3:
$ ssh-cmpclient-g3 INITIALIZE -P generate://ssh2:passphrase@rsa:1536/user_rsa \ -o /home/user/.ssh2/user_rsa -p 62154:ssh \ -s 'C=FI,O=SSH,CN=user;email=user@example.org' \ -S http://fw.example.com:1080 http://pki.example.com:8080/pkix/ \ 'C=FI, O=SSH, CN=Test CA 1'
Place your keys and certificates in a directory where the Connection Broker can locate them.
By default, the Connection Broker attempts to use each key found in the $HOME/.ssh2
directory on Unix, or in the %APPDATA%\SSH\UserKeys
and
%APPDATA%\SSH\UserCertificates
directories on Windows.
You can also add other directory locations for
keys on the Keys and Certificates page of the Tectia
Connections Configuration tool. See Managing Keys and Certificates. On Unix, you can use
the general/key-stores/key-store
element in the ssh-broker-config.xml
file. See the section called “Key Store Configuration Examples”.
(Optional) Create an identification file.
Using the identification
file is not necessary if all
your keys are stored in the default directory and you allow all of them to
be used for public-key and/or certificate authentication. If the
identification
file does not exist, the Connection Broker attempts to use
each key found in the default directory. If the identification
file exists, the keys listed in it are attempted first.
Specify the private key of your software certificate in the
$HOME/.ssh2/identification
file (the CertKey
option works identically with the IdKey
option):
CertKey user_rsa
The certificate itself will be read from user_rsa.crt
.
For more information on the syntax of the identification file, see
$HOME/.ssh2/identification
.
Make sure that public-key authentication is enabled in the
ssh-broker-config.xml
file (it is enabled by default).
<authentication-methods> <auth-publickey /> ... </authentication-methods>
Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.