SSH Tectia

Server Authentication Settings

SSH Tectia Client software needs to perform the following actions for strong server authentication:

  • Validate the host certificate signature. For this, the CA certificate is needed. In this case, the preconfigured Internal Root CA of the SSH Tectia Manager Internal CA is configured in the CA list.

  • Verify that the host certificate has not been revoked. In this case, the check is performed against a CRL retrieved from the Management Server HTTP server. The appropriate CRL distribution point (DP) is defined as an HTTP URL in the host certificate itself.

    [Note]Note

    The SSH Tectia client-side managed hosts must be allowed to access the CRL DPs (by default, Management Server port 80) in the firewall configuration of the organization.

  • Verify that the host certificate matches the server host. The hostname used for the connection is matched to the DNS extension, typically containing a fully qualified domain name (FQDN), or Subject Name if the DNS extension does not match, or in case IP is used, the check is done against the IP extension in the Subject Alternative Name of the host certificate.

SSH Tectia Client configuration for server authentication

Figure 5.22. SSH Tectia Client configuration for server authentication