CA Hierarchy and Policy

The SSH Tectia software imposes only a few requirements directly on the CA hierarchy and policy in certificate authentication:

Host certificates used in server certificate authentication must contain the following:
- the fully qualified domain name (FQDN) in the subject alternative name DNS extension, AND/OR
- the IP address in the subject alternative name IP extension, AND/OR
- the FQDN in the subject name.
FQDN requirements can be relaxed by disabling the Require FQDN option in enrollment settings. If FQDN is not present, IP address has to be added to host certificates.
Certificates used in user certificate authentication should contain at least one mappable field (SubjectName or Email) in a consistent format. Alternatively, SerialNumber typically combined with IssuerName may be used for one-to-one mapping from the certificate to the user account.
Intermediate (subordinate) CA certificates, if any, should be published to an LDAP directory using a Distinguished Name (DN). If the DN is not used, an Authority Info Access extension must be used in the certificate to specify a custom LDAP object. Alternatively, in user authentication, the certificates may be provided in a cache file.

SSH Tectia Manager imposes the following additional requirements:

If transparent TCP tunneling is used (in 6.x) or if SSH Tectia Connector is used (in 4.x and 5.x), host certificates must have the FQDN in the subject alternative name DNS extension, or in the subject name (for example, the policy rules are created with the hostname instead of the IP address).
Only the primary network identification of the SSH Tectia Server host can be used.
If an LDAP directory is not used for intermediate CA certificates, the cache file can be enabled in the configuration but the file itself must be manually distributed to the hosts.

User authorization, or access control, is often tied to the CA hierarchy or policy. Examples of such scenarios are:

A certificate from a particular CA allows administrative privileges on a host.
The string OU=Administration in the certificate subject name grants access to a CRM server.

The administrator of SSH Tectia Manager, responsible for configuring SSH Tectia Servers for certificate authentication, must be familiar with the PKI setup and policies used by the organization. For example, if the trusted CA is used to issue user certificates for authentication and e-mail protection, or the task is divided by its subordinate CAs, the differences in certificate templates must be known in order to configure mappings that match the authentication certificate but not the e-mail protection certificate.

The processing of the certificate request is equally important. The CA policy can enforce the subject alternative name Email to be set, but the content should be in a consistent format in all certificates, for example username@example.com or firstname.lastname@example.com.