SSH Communications Security
Previous Next Up [Contents] [Index]

    About This Document>>
    Introduction to SSH Secure Shell >>
    Configuring SSH Secure Shell >>
    Authentication >>
    Log Messages >>
    Using SSH Secure Shell >>
    Tool Syntax>>
        ssh-keygen2
        ssh-certenroll2
    Technical Specifications >>

ssh-certenroll2

ssh-certenroll2 allows users to enroll certificates. It will connect to a CA (certification authority) and use the CMPv2 protocol for enrolling a certificate. The user may supply an existing private key when creating the certification request, or allow a new key to be generated. 

SYNOPSIS
       ssh-certenroll2 [-V ] [-S SOCKS-server] [-P proxy-url] [-g
       ] [-t rsa|dsa] [-l key-size]  [-o base-name]  [-p cmp-ref-
       num:cmp-key] [-e ] -a ca-access-url  -s subject-name   ca-
       cert-file [ private-key ]

OPTIONS
       -V     Print version string and exit.

       -S SOCKS-server
              The SOCKS server URL to be used when connecting  to
              the certification authority.

       -P proxy-url
              The  HTTP proxy server URL to be used when connect-
              ing to the certification authority.

       -g     Generate a new private key.

       -t rsa|dsa
              Type of key to be generated.  Valid types are "rsa"
              or "dsa".  Rsa is the default.

       -l key-size
              The  size  of  the  key  to be generated (in bits).
              1024 is the default.

       -o base
              Specify the base prefix  of  the  generated  files.
              The  private  key (if generated) will be <base>.prv
              and the certificate will be <base>-num.crt

       -p cmp-ref-num:cmp-key
              Specify the CMP enrollment  reference  number  and
              key (the pre-shared secret).

       -e     Enable  extensions  in  the  subject name.  If, for
              example, ip, dns, or email extensions are used, the
              -e flag must be present.

       -a  ca-access-url
              The full URL to the certification authority.

       -s  subject-dn-name
              Specify  the subject name for the certificate.  For
              example,  "c=ca,o=acme,ou=development,cn=Rami Romi"
              would  specify  the common user name "Rami Romi" in
              the organizational unit "Development" in the  orga-
              nization  "Acme"  in  "ca" (Canada).  
              
       -u  number
              Optionally gives the key usage bits.

   
   EXAMPLES

  1. Enroll a certificate and generate a DSA private key: 
           ssh-certenroll2  -g  -t  dsa  -o  mykey  -p  12345:abcd -S
       socks://fw.myfirm.com:1080        -a        http://www.ca-
       auth.domain:8080/pkix/  -s  "c=fi,o=acme,cn=Rami Romi" ca-
       certificate.crt
    This will generate a private key called mykey.prv and a certificate called mykey-0.crt.
  2. Enroll a certificate using a supplied private key and provide an email extension: 
           ssh-certenroll2 -o mykey  -p  12345:ab  -a  http://www.ca-
       auth.domain:8080/pkix/       -s       "c=ca,o=acme,cn=Rami
       Romi;email=rami@acme.ca"    ca-certificate.crt     my_pri-
       vate_key.prv
    This will generate and enroll a certificate called mykey-0.crt.

Previous Next Up [Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2003 SSH Communications Security Corp.
All rights reserved.
Copyright Notice