Enroll a certificate for the server. This can be done, for example, with the ssh-cmpclient-g3 or ssh-scepclient-g3 command-line tools.

Note that the DNS address extension (dns) in the certificate needs to correspond to the fully qualified domain name of the server.

Example: Key generation and enrollment using ssh-cmpclient-g3:

# ssh-cmpclient-g3 INITIALIZE \ 
   -p 62154:secret \
   -P generate://ssh2@rsa:1536/testserv-rsa \
   -s "C=FI,O=SSH,CN=testserv;dns=testserv.ssh.com" \
   -o /opt/tectia/etc/testserv-rsa \
   -S http://fw.example.com:1080 \
   http://pki.example.com:8080/pkix/ \
   'C=FI, O=SSH, CN=Test CA 1'

For more information on ssh-cmpclient-g3 and ssh-scepclient-g3, see their man pages.

Define the private key and the server certificate in the /opt/tectia/etc/sshd2_config file, for example, using the key and certificate created above:

HostKeyFile              testserv-rsa.prv
HostCertificateFile      testserv-rsa-0.crt
HostKey.Cert.Required    no

Setting the sshd2_config option HostKey.Cert.Required to yes defines that the server must authenticate with a certificate. When keys in file are used, a certificate must be defined with the HostCertificateFile option. Setting the option to no (default) means that the server can use either a normal public key or a certificate, depending on which of them is configured. Setting the option to optional means that the server can use both a certificate and the public key found in the certificate.

Restart the server as instructed in Restarting the Server.