Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

SSH Tectia

Server Authentication Settings

SSH Tectia Client software needs to perform the following actions for strong server authentication:

  • Validate the host certificate signature. For this, the CA certificate is needed. In this case, the preconfigured Internal Root CA of the SSH Tectia Manager Internal CA is configured in the CA list.

  • Verify that the host certificate has not been revoked. In this case, the check is performed against a CRL retrieved from the Management Server HTTP server. The appropriate CRL distribution point (DP) is defined as an HTTP URL in the host certificate itself.


    The SSH Tectia client-side managed hosts must be allowed to access the CRL DPs (by default, Management Server port 80) in the firewall configuration of the organization.

  • Verify that the host certificate matches the server host. The hostname used for the connection is matched to the DNS extension, typically containing a fully qualified domain name (FQDN), or Subject Name if the DNS extension does not match, or in case IP is used, the check is done against the IP extension in the Subject Alternative Name of the host certificate.

SSH Tectia Client configuration for server authentication

Figure 5.21. SSH Tectia Client configuration for server authentication