SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
Acquire the CA certificate and copy it to the server
machine. You can either copy the X.509 certificate(s) as such or you
can copy a PKCS #7 package including the CA certificate(s).
Certificates can be extracted from a PKCS #7 package by specifying
-7 option with ssh-keygen-g3.
Certificate authentication is a part of the
authentication method. Make sure that you have enabled it in the
AllowedAuthentications publickey AuthPublicKey.Cert.Required no
yes defines that the user must authenticate with a
certificate or else the authentication will fail.
Specify the trusted CA certificate and the mapping file(s) in
Pki <ca-cert-path> MapFile <map-file-path>
You can define several CA certificates by using several
Pki test-ca1.crt MapFile cert-user-mapping1.txt Pki test-ca2.crt MapFile cert-user-mapping2a.txt MapFile cert-user-mapping2b.txt
Note that multiple
keywords are permitted per
Pki keyword. Also, if no mapping file
is defined, all connections are denied even if user certificates can be verified
using the defined CA certificate. The server will accept only certificates issued
by defined CA(s).
LdapServers ldap://ldap.example.com:389 SocksServer socks://fw.example.com:1080
Defining the LDAP server is not necessary if the CA certificate
CRL Distribution Point or an
Info Access extension.
Create the certificate user mapping file as described in Certificate User Mapping File.
Restart ssh-certd as instructed in Restarting the Certificate Validator.