Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]


In the following example we first receive the CA certificate from the PKI interoperability site of SSH Communications Security.

$$ ssh-scepclient GET-CA \ 
   -o ca \

Received CA/RA certificate 
fingerprint 9b:96:51:bb:29:0d:c9:e0:75:c8:03:0d:0d:92:60:6c

Then we enroll an RSA certificate. The user is authenticated to the CA with the key ssh. The subject name and alternative IP address are given, as well as key-usage flags.

$$ ssh-scepclient ENROLL \
    -C -p ssh \
    -o subject -P generate://pkcs8:ssh@rsa:1024/subject \
    -s 'C=FI,O=SSH,CN=SCEP Example;IP=' \
    -u digitalsignature \

Received user certificate subject-0.crt: 
fingerprint 4b:7e:d7:67:27:5e:e0:54:2f:5b:56:69:b5:01:d2:15
$$ ls subject*
subject-0.crt   subject.prv

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now