Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]


Initial Certificate Enrollment

This example provides commands for enrolling an initial certificate for digital signature use from the interoperability site. It generates a private key into a PKCS #8 plaintext file named initial.prv, and stores the enrolled certificate into file initial-0.crt. The user is authenticated to the CA with the key identifier (refnum) 62154 and the key ssh. The subject name and alternative IP address are given, as well as key-usage flags. The CA address is, the port 8080, and the CA name to access Test CA 1.

$$ ssh-cmpclient INITIALIZE \
   -P generate://pkcs8@rsa:1024/initial -o initial \
   -p 62154:ssh \
   -s 'C=FI,O=SSH,CN=Example/initial;IP=' \
   -u digitalsignature \ \
   'C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities'

As a response the command presents the issued certificate to the user, and the user accepts it by typing yes at the prompt.

Certificate =
  SubjectName = <C=FI, O=SSH, CN=Example/initial>
  IssuerName = <C=FI, O=SSH Communications Security Corp, 
    CN=SSH Test CA 1 No Liabilities>
  SerialNumber= 8017690
  SignatureAlgorithm = rsa-pkcs1-sha1
  Validity = ...
  PublicKeyInfo = ...
  Extensions =
      Viewing specific name types = IP =
    KeyUsage = DigitalSignature
    CRLDistributionPoints = ...
    AuthorityKeyID =
      KeyID = 3d:cb:be:20:64:49:16:1d:88:b7:98:67:93:f0:5d:42:81:2e:bd:0c
    SubjectKeyID =
      KeyId = 6c:f4:0e:ba:b9:ef:44:37:db:ad:1f:fc:46:e0:25:9f:c8:ce:cb:da
  Fingerprints =
    MD5 = b7:6d:5b:4d:e0:94:d1:1f:ec:ca:c2:ed:68:ac:bf:56
    SHA-1 = 4f:de:73:db:ff:e8:7d:42:c4:7d:e1:79:1f:20:43:71:2f:81:ff:fa

Do you accept the certificate above? yes

New Enrollment

In the previous example, a signature certificate was enrolled. Next, we will enroll a new encryption certificate, perform key backup, and authenticate ourselves with the certificate enrolled in the previous example. Presenting the resulting certificate has been left out.

$$ ssh-cmpclient ENROLL \
   -B \
   -P generate://pkcs8@rsa:2048/encryption -o encryption \
   -c initial-0.crt -k file://pkcs8@/initial.prv \
   -s 'C=FI,O=SSH,CN=Example/encryption' \
   -u keyencipherment \
   -C  \


If the certificate enrollment was left pending, that is, the certificate was not immediately accepted or rejected, the user must later poll for the result. For example, if the new enrollment request in the previous section was left pending, the response would have looked like this:

PKI transaction is pending.
Poll again with the transaction ID 4114859265.

The certificate must be polled later with the given polling ID.

$$ ssh-cmpclient POLL \
   -C \
   -k initial.prv \
   -c initial.crt  \
   -I 4114859265 \

If the initial enrollment is to be polled, the pre-shared key must be used for authentication instead of the existing key/cert pair in the previous example.

$$ ssh-cmpclient POLL \
   -C \
   -p 62154:ssh  \
   -I 4121205509  \

Revoking a Certificate

Continuing from the previous examples, let us assume that the initial certificate needs to be revoked (the certificate holder has lost the right to use the signature). The revocation request is made as follows.

$$ ssh-cmpclient REVOKE \
   -c file://initial-0.crt -k file://pkcs8@/initial.prv \
   -T initial-0.crt \ \
   'C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities'

Recovering a Private Key

Continuing from the previous example, let us assume that the certificate holder has lost the private key, but we need to be able to use the key for decryption (for example, to decrypt e-mail). The key recovery is done as follows.

$$ ssh-cmpclient RECOVER \
   -o recovered \
   -c initial-0.crt -k file://pkcs8@/initial.prv \
   -T encryption-0.crt \ \
   'C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities'

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now