SSH

Certificate Validation

On the Certificate Validation page, you can configure certification authorities (CA) that are trusted in user authentication.

Tectia Server Configuration - Certificate Validation page

Figure 4.17. Tectia Server Configuration - Certificate Validation page


Generic Settings

Generic settings apply to all CA certificates and CRL fetching.

HTTP proxy URL

Define a HTTP proxy URL if one is required for making LDAP or OCSP queries for certificate validity.

The format of the URL is as follows:

http://username@proxy_server:port/network/netmask,network/netmask ...

The HTTP proxy address is given first and after it the networks that are connected directly (without the proxy).

SOCKS server URL

Define a SOCKS server URL if one is required for making LDAP or OCSP queries for certificate validity.

The format of the URL is as follows:

socks://username@socks_server:port/network/netmask,network/netmask ...

The SOCKS server address is given first and after it the networks that are connected directly (without the SOCKS server).

Certificate cache file

Select the check box to enable certificate caching.

Click the Browse button to select the cache file where the certificates and CRLs are stored when the Tectia Server service is stopped, and read back in when the service is restarted. The Select File dialog appears, allowing you to specify the desired file. You can also type the path and file name directly into the text field.

CRL auto update

Select the check box to enable automatic updating of certificate revocation lists.

When auto update is on, Tectia Server periodically tries to download the new CRL before the old one has expired. The Update before field specifies how many seconds before the expiration the update takes place. The Minimum interval field sets a limit for the maximum update frequency. The default minimum interval is 30 seconds.

Enforce digital signature in key usage

One of the compliance requirements of the US Department of Defense Public-Key Infrastructure (DoD PKI) is to have the Digital Signature bit set in the Key Usage of the certificate. To fulfill the compliance requirement by enforcing digital signature in key usage, select this check box.

LDAP Servers

On the LDAP Servers tab, you can define LDAP servers that are used for fetching certificate revocation lists (CRLs) and/or subordinate CA certificates based on the issuer name of the certificate being validated.

If a CRL distribution point is defined in the certificate, the CRL is automatically retrieved from that address.

To add an LDAP server, click Add. The LDAP Server dialog box opens. Enter the Address and Port of the server and click OK. The default port is 389.

To edit an LDAP server, select the server from the list and click Edit.

To delete an LDAP server, select the server from the list and click Delete.

OCSP Responders

On the OCSP Responders tab, you can define OCSP responder servers that are used for Online Certificate Status Protocol queries.

For the OCSP validation to succeed, both the end-entity certificate and the OCSP responder certificate must be issued by the same CA. If the certificate has an Authority Info Access extension with an OCSP Responder URL, it is only used if there are no configured OCSP responders. It is not used if any OCSP responders have been configured.

To add an OCSP responder, click Add. The OCSP Responder dialog box opens. Enter the URL of the server. Optionally, you can also enter a Validity period in seconds for the OCSP data. During this time, new OCSP queries for the same certificate are not made but the old result is used. Click OK when finished.

If an OCSP responder is defined in the configuration file or in the certificate, it is tried first; only if it fails, traditional CRL checking is tried, and if that fails, the certificate validation returns a failure.

To edit an OCSP responder, select the responder from the list and click Edit.

To delete an OCSP responder, select the responder from the list and click Delete.

CRL Prefetch

On the CRL Prefetch tab, you can define addresses from which CRLs are periodically downloaded.

To add a CRL prefetch address, click Add. The CRL Prefetch dialog box opens. Enter the Interval how often the CRL is downloaded and the URL of the CRL distribution point and click OK. The default download interval is 3600 (seconds).

The URL can be either a standard format LDAP or HTTP URL, or it can refer to a file. The file format must be either binary DER or base64, PEM is not supported. Enter the file URL in this format:

file:///absolute/path/name

To edit a CRL prefetch address, select the address from the list and click Edit.

To delete a CRL prefetch address, select the address from the list and click Delete.

CA Certificates

On the CA Certificates tab, you can define the CA certificates that are trusted for user authentication, as well as intermediate CA certificates.

To add a CA certificate:

  1. Click Add. The CA Certificate dialog box opens.

    Editing CA certificate settings

    Figure 4.18. Editing CA certificate settings


  2. Enter the Name of the CA. The CA Name can be referred to in the selectors on the Authentication page. See Authentication.

  3. Click the Browse button on the right-hand side of the text field to locate a CA certificate file. The Select File dialog appears, allowing you to specify the desired file. You can also type the path and file name directly in the text field.

    Click the View button to display the currently selected CA certificate.

  4. If the Trusted CA check box is selected (it is by default), the CA certificate is set as a trust anchor and it is trusted explicitly. No revocation checks are performed on the CA certificate (only the validity period will be checked), and it will be the end point of the validation path, meaning that no CA above it in the PKI hierarchy will affect the validation.

    If the Trusted CA check box is cleared, the CA will be considered an intermediate CA. At least one trusted CA certificate is required for a working PKI setting.

  5. You can optionally select the Disable CRLs check box to stop using the certificate revocation list. This option should be used for testing purposes only!

    Under Use expired CRLs, you can specify in seconds how long expired CRLs are used.

    Click OK when finished.

To edit a CA, select the CA from the CA Certificates list and click Edit.

To remove a CA from the CA Certificates list, select the CA and click Delete.

OpenSSH CA Keys

On the OpenSSH CA Keys tab, you can define the OpenSSH CA keys that are trusted for user authentication.

To add an OpenSSH CA key, click the Add button, and provide a name for the list entry, and the key file.

To edit an OpenSSH CA key entry, select an entry from the list, and click the Edit button.

To delete an OpenSSH CA key entry, select an entry from the list, and click the Delete button.