ssh-certd — Secure Shell Certificate Validator on z/OS


ssh-certd [-d debug_level_spec] [-f config_file] [-o options] [-l listener_path] [-F] [-v] [-V] [-q]


ssh-certd (Secure Shell Certificate Validator) is a common process for validating certificates, used primarily by sshd2 when validating user certificates. Without a common place for the validations, all the data needed for the validation would need to be duplicated in every process doing the validations. This would be very inefficient especially in cases where very large CRLs (certificate revocation lists) are to be used. ssh-certd allows CRLs and CA certificates to be loaded only once and then used for all subsequent validations.

ssh-certd is normally started at boot time from /etc/rc.local or equivalent. It opens a listener socket by default at /opt/tectia/var/run/ssh-certd-listener. The location of the listener can be changed with the CertdListenerPath keyword of sshd2_config.

ssh-certd can be configured using command-line options or a configuration file. Command-line options override values specified in the configuration file. ssh-certd reads configuration data from /opt/tectia/etc/ssh_certd_config (or the file specified with the -f option on the command line). By default, the configuration file contains only the keyword UseSSHD2ConfigFile, which instructs ssh-certd to read the specified sshd2 configuration file in compatibility mode, where the configuration options of sshd2 are silently ignored, and only the options relating to certificate or general daemon configuration are read.

Start ssh-certd as a started task as follows:

===> s sshcertd

The started task takes modify commands as follows:

===> f sshcertd,<command>

The following modify commands are supported:

debug debug_level

Set the debug level of the running Certificate Validator.


Stop the Certificate Validator.


Restart the Certificate Validator.


Query the version of the Certificate Validator.


The following options are available for ssh-certd:

-d debug_level_spec

Debug mode. The server sends verbose debug output to STDERR. This option is only intended for debugging for the server. The debugging level is either a number, or a comma-separated list of assignments of the format ModulePattern=debug_level, for example "*=10,sshd2=2". This should be the first argument on the command line.

-f configuration_file

Specifies the name of the configuration file. The default is /opt/tectia/etc/ssh_certd_config.


If this option is specified, the default configuration file is not read at all.

-o 'option'

Can be used to give options in the format used in the configuration files. This is useful for specifying options for which there is no separate command-line flag. The option has the same format as a line in the configuration file. Comment lines are not accepted. Where applicable, egrep regex format is used.

-l listener-path

Specifies the path where the server will open the listener socket.


Disables daemon mode. The server does not spawn a new process to the background.


Enables verbose mode. Displays verbose debugging messages. Equal to -d 2. This option can also be specified in the configuration file.


Displays the version string.


Quiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termination of each connection is logged. This option can also be specified in the configuration file.

Configuration File

ssh-certd reads configuration data from /opt/tectia/etc/ssh_certd_config (or the file specified with -f on the command line). The file contains keyword-value pairs, one per line. Lines starting with '#' and empty lines are interpreted as comments.

For the format of ssh_certd_config, see ssh_certd_config(5).



Contains configuration data for ssh-certd. This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable. For ease of migration from older installations, ssh_certd_config contains by default the line "UseSSHD2ConfigFile sshd2_config", which instructs ssh-certd to read the certificate configuration from the sshd2 configuration file and ignore the options that are not relevant to it.