Your browser does not allow storing cookies. We recommend enabling them.

SSH

Configuring Certificate Authentication on Tectia Client/ConnectSecure

Tectia Client and Tectia ConnectSecure need to be separately configured to authenticate server hosts using host certificates. The authentication settings can be configured in Configurations → Edit Configurations → Tectia → Client under the PKI page.

The following settings need to be configured:

  • The list of trusted CA certificates. These are used to check the validity of host certificates.

    In case Tectia Manager Internal CA is used, defining the trusted certificate is the only required setting. To use the Internal CA, select Internal Root CA as the CA certificate.

  • The LDAP servers used to retrieve CRLs and subordinate CA certificates in a CA hierarchy should be configured. These settings are necessary only if the host certificates themselves do not contain valid Authority Info Access and/or CRL Distribution Point extensions.

  • If OCSP should be used instead of CRLs and the host certificates themselves do not contain the information, the default OCSP responder URL should be configured.

If CRL checking is disabled, the LDAP server and OCSP responder URLs do not need to be configured. CRL checking should be disabled for testing purposes only.

Activating the settings requires assigning the configuration to the appropriate hosts and redeploying the configurations.


 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now