When configuring the client, it must be set up to trust the CA certificate and to access the certificate revocation list (CRL). For more information on client-side configuration, see the documentation for SSH Tectia Client and Connector.
To configure the client to trust the server's certificate, perform the following tasks:
- Copy the CA certificate(s) to the client machine. You can either copy the X.509 certificate(s) as such, or you can copy a PKCS #7 package including the CA certificate(s).
Certificates can be extracted from a PKCS #7 package by specifying the
-7 flag with
- Define the CA certificate(s) to be used in host authentication in the
file: Only one CA certificate can be defined per
keyword. The client will only accept certificates issued by the defined CA.
You can disable the use of CRLs by using the
keyword instead of
Note: CRL usage should only be disabled for testing purposes. Otherwise it is highly recommended to always use CRLs.
- Also define the LDAP server(s) used for CRL checks in the
Defining the LDAP server is not necessary if the CA certificate contains a CRL distribution point extension.
- If the CA services (OCSP, CRLs) are located behind a firewall, define also the SOCKS server in the
The client is set to trust the Entrust certificate in the same way as with standard X.509 certificates. See the instructions above.