SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
The enrollment settings must be configured by creating a configuration profile for certificate enrollment and for assigning it to hosts. There is no need to separately deploy the enrollment settings.
Host certificate enrollment settings can be created in Configurations → Edit Configurations under the PKI tab, Enrollment settings folder.
The following information must be specified:
The PKI settings used for enrolling the certificates. The preconfigured Internal Root CA is recommended.
The subject name used in the certificate enrollment request. The subject name must be specified in the DN (Distinguished Name) notation. The default value works well in most cases. The following variables can be used within the subject name:
substituted with the IP address of the host.
%IP_ADDRESS_LIST%, substituted with all of the
IP addresses of that host. Usable only in subject altName part (as in
IP=%IP_ADDRESS_LIST%), not in the actual subject name.
%DNS_NAME%, substituted with the DNS name (fully
qualified host name) of the host.
%DNS_NAME_LIST%, substituted with all of the
DNS names of that host. Usable only in subject altName part (as in
IP=%DNS_NAME_LIST%), not in the actual subject
%HOST_NAME%, substituted with the short host
name (DNS name without the domain part).
%REFERENCE_NUMBER%, reference number of
allocated authorization code for the host. Only needed in Entrust Web
The subject name field is mostly parsed as a Distinguished Name (DN).
However, additional semicolon-separated fields
IP can be used to specify subject alternative names for a
request (see example below). Note that this means that a colon has to be
used to separate RDNs in the DN. The default value for subject name field is
example, this will add multiple subject alternative name DNS entries to the
host certificate if the host has reported aliases.
Select whether FQDN is required or not. If FQDN required is selected the managed host has to have a fully qualified domain name, which is used in the subject name field so that it will be added as a name in the host certificate. If FQDN is not required, an IP address in certificate will be sufficient. Without FQDN the server authentication in the Secure Shell client will be restricted to connections with explicit IP addresses.