Examples
The following examples illustrate the use cases of ssh-cmpclient.
If there is a firewall between the client and the CA server, you may
need to provide a complete SOCKS server URL in addition to the options
given (for example, -S http://fw.example.com:1080).
Initial Certificate Enrollment
This example provides commands for enrolling an initial certificate for
digital signature use. It generates a private key into a PKCS #8
plaintext file named initial.prv, and stores the enrolled
certificate into file initial-0.crt. The user is authenticated
to the CA with the key identifier (refnum) 62154 and the key
secret. The subject name and alternative IP address are given,
as well as key-usage flags. The CA address is pki.example.com,
the port 8080, and the CA name to access is Test CA 1.
$ ssh-cmpclient INITIALIZE \
-p 62154:secret \
-P generate://pkcs8@rsa:1024/initial \
-s 'C=FI,O=SSH,CN=Example/initial;IP=1.2.3.4' -u digitalsignature \
-o initial \
http://pki.example.com:8080/pkix/ \
'C=FI, O=SSH, CN=Test CA 1'
As a response the command presents the issued certificate to the
user, and the user accepts it by typing yes at the prompt.
Certificate =
SubjectName = <C=FI, O=SSH, CN=Example/initial>
IssuerName = <C=FI, O=SSH, CN=Test CA 1>
SerialNumber= 8017690
SignatureAlgorithm = rsa-pkcs1-sha1
Validity = ...
PublicKeyInfo = ...
Extensions =
Viewing specific name types = IP = 1.2.3.4
KeyUsage = DigitalSignature
CRLDistributionPoints = ...
AuthorityKeyID =
KeyID = 3d:cb:be:20:64:49:16:1d:88:b7:98:67:93:f0:5d:42:81:2e:bd:0c
SubjectKeyID =
KeyId = 6c:f4:0e:ba:b9:ef:44:37:db:ad:1f:fc:46:e0:25:9f:c8:ce:cb:da
Fingerprints =
MD5 = b7:6d:5b:4d:e0:94:d1:1f:ec:ca:c2:ed:68:ac:bf:56
SHA-1 = 4f:de:73:db:ff:e8:7d:42:c4:7d:e1:79:1f:20:43:71:2f:81:ff:fa
Do you accept the certificate above? yes
|
Key update
Before the certificate expires, a new certificate with updated validity
period should be enrolled. ssh-cmpclient supports key update,
where new private key is generated and the key update request is
authenticated with the old (still valid) certificate. The old
certificate is also used as a template for issuing the new certificate,
so the identity of the user will not be changed during the key update.
With the following command you can update the key pair, which was
enrolled in the previous example. Presenting the result certificate has
been left out.
$ ssh-cmpclient UPDATE \
-c initial-0.crt -k initial.prv \
-P generate://pkcs8@rsa:1024/updatedcert \
-o updatedcert \
http://pki.example.com:8080/pkix/ \
'C=FI, O=SSH, CN=Test CA 1'
The new key pair can be found in the files with the updatedcert
prefix. The policy of the issuing CA needs to also allow automatic key
updates if ssh-cmpclient is used in the UPDATE mode.
Certificate Enrollment for Private Key Stored in SAF
This example shows a command for enrolling a certificate for a private
key that is stored in the user's key ring in SAF. The user is
authenticated to the CA with the key identifier (refnum) 18437
and the key test. The key provider and the initialization
string are given with the -Z option. The URL to the private key
is given with the -P option. The certificate is stored in file
test_1024_non-icsf-0.crt. The subject name is also given
(CN=Newuser). The CA address is pki.example.com, the
port 8080, and the CA name to access is Test CA 1.
$ ssh-cmpclient INITIALIZE \
-p 18437:test \
-Z 'zos-saf:keys(ring(TESTUSER1))' \
-P 'zos-saf://0/TEST/TESTUSER1/TEST 1024 NON-ICSF' \
-s 'CN=Newuser' \
-o test_1024_non-icsf \
http://pki.example.com:8080/pkix/ \
'C=FI, O=SSH, CN=Test CA 1'
To get the value for the external key URL for the -P option,
run ssh-ekview on the key ring, for example:
ssh-ekview -i "keys(ring(TESTUSER1))" zos-saf
See ssh-ekview for more information.
