SSH

Certificate Enrollment Using ssh-cmpclient-g3

Certificates can be enrolled using the ssh-cmpclient-g3 command-line tool (ssh-cmpclient-g3.exe on Windows).

To configure Tectia Server to authenticate itself using X.509 certificates, perform the following tasks:

  1. Enroll a certificate for the server.

    This can be done with the ssh-cmpclient-g3 command-line tool, for example:

    $ ssh-cmpclient-g3 INITIALIZE \ 
      -P generate://ssh2@rsa:3072/hostcert_rsa \
      -o /etc/ssh2/hostcert_rsa \
      -p 62154:ssh \
      -s "C=FI,O=SSH,CN=testserv;dns=testserv.ssh.com" \
      http://pki.ssh.com:8080/pkix/ \
      'C=FI, O=SSH Communications Security, CN=Secure Shell Test CA'
    

    Note that the DNS address parameter (dns) needs to correspond to the fully qualified domain name of the server.

    Remember to define also the SOCKS server (-S) before the CA URL, if required.

    For more information on the ssh-cmpclient-g3 syntax, see ssh-cmpclient-g3(1).

  2. Define the private key and the server certificate in the ssh-server-config.xml file:

    <params>
      <hostkey>      
        <private file="/etc/ssh2/hostcert_rsa" />
        <x509-certificate file="/etc/ssh2/hostcert_rsa.crt" />
      </hostkey>
    ...
    </params>
    

    Alternatively, when using the Tectia Server Configuration tool, enter the private key and certificate filenames on the Identity page. See Identity.

  3. Run ssh-server-ctl to take the new configuration in use. See ssh-server-ctl(8).

    On Windows, just click Apply to take the new settings in use.