SSH Communications Security
Previous Next Up [Contents] [Index]

    Introduction >>
    Configuration >>
    Connecting >>
    Terminal Window >>
    File Transfer >>
    Toolbar Reference >>
    Menu Reference >>
    Advanced Information >>
        SSH2 Functionality >>
        Public-Key Infrastructure (PKI) >>
        Using Certificate Authentication
            PKCS #11
        Keyboard-Interactive Authentication >>
    Troubleshooting >>
    Appendices >>

Using Certificate Authentication

In order to use certificate authentication you need to issue certificates for users and hosts using a certification authority (CA) software such as SSH Tectia Certifier™.

The first requirement for using certificates is to import the certificates of the CAs that you trust. Trusting a CA means that to the best of your knowledge the private key of the CA has not been compromised. The CA certificates will be the connecting links between entities that have been issued a certificate.

Requesting a CA to issue a certificate is called certificate enrollment. SSH Secure Shell for Workstations supports the CMPv2 enrollment protocol. If CMPv2 is not available in the CA software, the enrollment can be done in another application and the resulting certificates can be imported to SSH Secure Shell for Workstations using the PKCS #12 format.

PKCS #12 format files can contain one or more user or CA certificates and private keys. SSH Secure Shell for Workstations determines the contents of the file and writes the entries to the corresponding directories for subsequent use. Standard PKCS #12 files generated using applications such as Netscape Navigator and Microsoft Internet Explorer are supported.

Other supported formats for importing user and CA certificates are PKCS #7, BER and X.509 binary. If a user certificate is imported the corresponding private key must be made available to SSH Secure Shell for Workstations. For this purpose, PKCS #12 is recommended.

In the certification request you can suggest a Common Name (e.g. John Smith), Organization Unit (like Marketing), Organization (SSH Communications Security Corp.), Country (US) and Email Address (john.smith@ssh.com).

The CA can change these fields before issuing the certificate. The certificate validity period and other parameters are determined by the configuration of the CA software. Please note that certificate enrollment requiring manual acceptance in the CA software is not supported. You may be able to compensate this by using PKCS #12 file importing.

PKCS #11

Previous Next Up [Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2003 SSH Communications Security Corp.
All rights reserved.
Copyright Notice