Examples
Obtaining the CA Certificate
In the following example we first receive the CA certificate from
the CA server.
$ ssh-scepclient GET-CA \
-o ca1
http://pki.example.com:8080/scep/ \
test-ca1.ssh.com
Received CA/RA certificate ca1-0.ca:
fingerprint 9b:96:51:bb:29:0d:c9:e0:75:c8:03:0d:0d:92:60:6c
|
Enrolling a Certificate
Next, we enroll an RSA certificate. The user is authenticated to the CA
with the key secret. The subject name and alternative IP address
are given, as well as key-usage flags.
$ ssh-scepclient ENROLL \
-P generate://pkcs8:ssh@rsa:1024/subject \
-C ca1-0.ca \
-p secret \
-s 'C=FI,O=SSH,CN=SCEP Example;IP=1.2.3.4' -u digitalsignature \
-o subject \
http://pki.example.com:8080/scep/
Received user certificate subject-0.crt:
fingerprint 4b:7e:d7:67:27:5e:e0:54:2f:5b:56:69:b5:01:d2:15
$ ls subject*
subject-0.crt subject.prv
|
Certificate Enrollment for Private Key Stored in SAF
This example shows a command for enrolling a certificate for a private
key that is stored in the user's key ring in SAF. The key provider and
the initialization string are given with the -Z option. The URL
to the private key is given with the -P option. The CA
certificate stored in file testca1.ca is used. The subject name
is also given (CN=Testuser). The user is authenticated to the
CA with the pre-shared key test. The CA address is
pki.example.com and the port 8080
$ ssh-scepclient ENROLL \
-Z "zos-saf:keys(ring(TESTUSER1))" \
-P "zos-saf://0/TESTUSER1/TEST/'TEST 1024 NON-ICSF'" \
-C testca1.ca \
-s 'CN=Testuser' \
-p test \
http://pki.example.com:8080/scep/
To get the value for the external key URL for the -P option,
run ssh-ekview on the key ring, for example:
ssh-ekview -i "keys(ring(TESTUSER1))" zos-saf
See ssh-ekview for more information.
