To configure the client to authenticate itself with an X.509 certificate, perform the following tasks:
Example: Key generation and enrollment using ssh-cmpclient-g3:
$ ssh-cmpclient-g3 INITIALIZE -P generate://ssh2:passphrase@rsa:2048/user_rsa \ -o /home/user/.ssh2/user_rsa -p 62154:ssh \ -s 'C=FI,O=SSH,CN=user;firstname.lastname@example.org' \ -S http://fw.example.com:1080 http://pki.example.com:8080/pkix/ \ 'C=FI, O=SSH, CN=Test CA 1'
Place your keys and certificates in a directory where the Connection Broker can locate them.
By default, the Connection Broker attempts to use each key found in the
directory on Unix, or in the
%APPDATA%\SSH\UserCertificates directories on Windows.
You can also add other directory locations for keys on the Keys
and Certificates page of the Tectia Connections
Configuration tool. See Managing Keys and Certificates. On Unix, you can use
general/key-stores/key-store element in the
ssh-broker-config.xml file. See the section called “Key Store Configuration Examples”.
(Optional) Create an identification file.
identification file is not necessary if all your keys
are stored in the default directory and you allow all of them to be used for public-key
and/or certificate authentication. If the
identification file does
not exist, the Connection Broker attempts to use each key found in the default directory. If the
identification file exists, the keys listed in it are attempted
Specify the private key of your software certificate in the
$HOME/.ssh2/identification file (the
option works identically with the
The certificate itself will be read from
For more information on the syntax of the identification file, see
Make sure that public-key authentication is enabled in the
ssh-broker-config.xml file (it is enabled by default).
<authentication-methods> <auth-publickey /> ... </authentication-methods>
Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.