The default ssh_certd_config configuration file is shown below. For descriptions of the configuration options, see ssh_certd_config

## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
## ssh_certd_config
## &fullname; - Certificate Validator Configuration File ##

UseSSHD2ConfigFile                      sshd2_config

## General

#       VerboseMode                no
#       QuietMode                  no
#       SyslogFacility             AUTH
#       RandomSeedFile             /opt/tectia/etc/random_seed

## Certificate configuration

#       CertCacheFile              /var/spool/ssh-certd-cache
#       SocksServer                socks://mylogin@socks.example.com:1080
#       UseSocks5                  no
#       OCSPResponderURL           http://example.com:8090/ocsp-1/
#       LdapServers                ldap://example.com:389

## X.509 certificate of the root CA which is trusted when validating
#  user certificates.

#       Pki                        ca-certificate,use_expired_crls=3600
#       PkiDisableCrls             no
#       Mapfile                    ca-certificate.mapfile

## External key provider for fetching root CA X.509 certificates
#  from RACF or equivalent. The certificates found from the specified
#  ring(s)/label(s) are trusted when validating user certificates.

#       PkiEkProvider              "zos-saf:KEYS(ID(SSHD2) RING(SSH-PKI))"
#       PkiDisableCrls             no
#       Mapfile                    ca-certificate.mapfile

## External key provider for fetching root CA X.509 certificates
#  from RACF or equivalent. The certificates found from the specified
#  ring(s)/label(s) are trusted when validating remote host certificates
#  in hostbased user authentications.

#       HostCAEkProvider           "zos-saf:KEYS(ID(SSHD2) RING(SSH-HOSTCA))"

## CRL autoupdate

#       CrlAutoUpdate              yes,update_before=30,min_interval=30

## CRL manual update

#       CrlPrefetch                3600 ldap://example.com/