Your browser does not allow storing cookies. We recommend enabling them.

Tectia

Managing CA Certificates with the Configuration File (Unix)

When configuring the client, it must be set up to trust the CA certificate and to access the certificate revocation list (CRL).

To configure the client to trust the server's certificate, perform the following tasks:

  1. Copy the CA certificate(s) to the client machine. You can either copy the X.509 certificate(s) as such, or you can copy a PKCS #7 package including the CA certificate(s).

    Certificates can be extracted from a PKCS #7 package by specifying the -7 flag with ssh-keygen-g3.

  2. Define the CA certificate(s) to be used in host authentication in the ssh-broker-config.xml file under the general element:

    <cert-validation end-point-identity-check="yes" 
                     http-proxy-url="http://proxy.example.com:800">
      <ldap-server address="ldap://ldap.example.com:389" />
      <ocsp-responder url="http://ocsp.example.com:8090" validity-period="0" /> 
      <dod-pki enable="no" />
      <ca-certificate name="ssh_ca1"
                      file="ssh_ca1.crt"
                      disable-crls="no"
                      use-expired-crls="100" />
    </cert-validation>         
    

    The client will only accept certificates issued by the defined CA(s).

    You can disable the use of CRLs by setting the disable-crls attribute of the ca-certificate element to "yes".

    [Note]Note

    CRL usage should only be disabled for testing purposes. Otherwise it is highly recommended to always use CRLs.

    Also define the LDAP server(s) or OCSP responder(s) used for CRL checks. Defining the LDAP server is not necessary if the CA certificate contains a CRL distribution point extension.

  3. If the CA services (OCSP, CRL) are located behind a firewall, define also the SOCKS server in the ssh-broker-config.xml file. The SOCKS server is defined inside cert-validation with the socks-server-url element.


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more