To configure the client to authenticate itself with an X.509 certificate, perform the following tasks:
Enroll a certificate for yourself.
Example: Enrollment using
$ ssh-cmpclient-g3 INITIALIZE -P generate://ssh2:passphrase@rsa:512/user_rsa -o /home/user/.ssh2/user_rsa -p 62154:ssh -s 'C=FI,O=SSH,CN=user;email@example.com' http://pki.ssh.com:8080/pkix/ 'C=FI, O=SSH Communications Security Corp, CN=Secure Shell Test CA'
Remember to define also the SOCKS server (
-S) before the CA URL, if required.
For more information on the
ssh-cmpclient-g3syntax, see ssh-cmpclient-g3(1).
(Optional) Create an identification file.
Specify the private key of your software certificate in the
CertKeyoption works identically with the
The certificate itself will be read from
For more information on the syntax of the identification file, see
Place your keys and certificates in a directory where the Connection Broker can locate them.
With SSH Tectia Client 5.x, using the
identificationfile is not necessary if all your keys are stored in the default directory and you allow all of them to be used for public-key and/or certificate authentication. If the
identificationfile does not exist, the Connection Broker attempts to use each key found in the
$HOME/.ssh2directory. If the
identificationfile exists, the keys listed in it are attempted first.
You can also use the
key-storeelement in the
ssh-broker-config.xmlfile for defining locations for keys and certificates. See the section called “Key Store Configuration Examples”.
Make sure that public-key authentication is enabled in the
<authentication-methods> <authentication-method name="publickey" /> ... </authentication-methods>
Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.