![]() |
| |||||||||
|
Using Certificate AuthenticationIn order to use certificate authentication you need to issue certificates for users and hosts using a certification authority (CA) software such as SSH Certifier™. The first requirement for using certificates is to import the certificates of the CAs that you trust. Trusting a CA means that to the best of your knowledge the private key of the CA has not been compromised. The CA certificates will be the connecting links between entities that have been issued a certificate. Requesting a CA to issue a certificate is called certificate enrollment. SSH Secure Shell supports the CMPv2 enrollment protocol. If CMPv2 is not available in the CA software, the enrollment can be done in another application and the resulting certificates can be imported to SSH Secure Shell using the PKCS #12 format. PKCS #12 format files can contain one or more user or CA certificates and private keys. SSH Secure Shell determines the contents of the file and writes the entries to the corresponding directories for subsequent use. Standard PKCS #12 files generated using applications such as Netscape Navigator and Microsoft Internet Explorer are supported. Other supported formats for importing user and CA certificates are PKCS #7, BER and X.509 binary. If a user certificate is imported the corresponding private key must be made available to SSH Secure Shell. For this purpose, PKCS #12 is recommended. In the certification request you can suggest a Common Name (e.g. John Smith), Organization Unit (like Marketing), Organization (SSH Communications Security Corp.), Country (US) and Email Address (john.smith@ssh.com). The CA can change these fields before issuing the certificate. The certificate validity period and other parameters are determined by the configuration of the CA software. Please note that certificate enrollment requiring manual acceptance in the CA software is not supported. You may be able to compensate this by using PKCS #12 file importing.
PKCS #11[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]
Copyright © 2001 SSH Communications Security Corp |