SSH Tectia Servers need to perform the following actions for strong user authentication:
Validate the user certificate signature. For this, the CA certificate is needed.
Verify that the user certificate has not been revoked. In this case, the check is performed against a CRL retrieved from the LDAP directory configured in LDAP Server URL.
Authorize the login using rules that map certain fields of the user certificate to existing user accounts on the server host. The Certificate selectors are defined in Server configuration Authentication Settings.
Depending on the security policy and PKI environment of the end-user organization, other settings may be required in actual deployments (for example, certificate caching in case of large CRLs).
The CA certificate is imported into the Management Server prior to deploying the configuration to the hosts. Other PKI-related settings are entered via the SSH Tectia Manager administration interface and stored on the Management Server, in a manner similar to other SSH Tectia Server settings.
The configuration settings for SSH Tectia G3 are done on tab Configurations → Edit Configurations → SSH Tectia G3 under the Server configuration PKI view.
For SSH Tectia 4.x products, the settings are made on tab Configurations → Edit Configurations → PKI.