|[Front page] [Index]|
Initial Certificate Enrollment
This example provides commands for enrolling an initial certificate for digital signature use from the
pki.ssh.com interoperability site. It generates a private key into a PKCS #8 plaintext file named
initial.prv, and stores the enrolled certificate into file
initial-0.crt. The user is authenticated to the CA with the key identifier (refnum)
62154 and the key
ssh. The subject name and alternative IP address are given, as well as key-usage flags. The CA address is
pki.ssh.com, the port
8080, and the CA name to access
Test CA 1.
$$ ssh-cmpclient INITIALIZE \ -P generate://pkcs8@rsa:1024/initial -o initial \ -p 62154:ssh \ -s 'C=FI,O=SSH,CN=Example/initial;IP=18.104.22.168' \ -u digitalsignature \ http://pki.ssh.com:8080/pkix/ \ 'C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities'
As a response the command presents the issued certificate to the user, and the user accepts it by typing
yes at the prompt.
Certificate = SubjectName = <C=FI, O=SSH, CN=Example/initial> IssuerName = <C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities> SerialNumber= 8017690 SignatureAlgorithm = rsa-pkcs1-sha1 Validity = ... PublicKeyInfo = ... Extensions = Viewing specific name types = IP = 22.214.171.124 KeyUsage = DigitalSignature CRLDistributionPoints = ... AuthorityKeyID = KeyID = 3d:cb:be:20:64:49:16:1d:88:b7:98:67:93:f0:5d:42:81:2e:bd:0c SubjectKeyID = KeyId = 6c:f4:0e:ba:b9:ef:44:37:db:ad:1f:fc:46:e0:25:9f:c8:ce:cb:da Fingerprints = MD5 = b7:6d:5b:4d:e0:94:d1:1f:ec:ca:c2:ed:68:ac:bf:56 SHA-1 = 4f:de:73:db:ff:e8:7d:42:c4:7d:e1:79:1f:20:43:71:2f:81:ff:fa Do you accept the certificate above? yes
In the previous example, a signature certificate was enrolled. Next, we will enroll a new encryption certificate, perform key backup, and authenticate ourselves with the certificate enrolled in the previous example. Presenting the resulting certificate has been left out.
$$ ssh-cmpclient ENROLL \ -B \ -P generate://pkcs8@rsa:2048/encryption -o encryption \ -c initial-0.crt -k file://pkcs8@/initial.prv \ -s 'C=FI,O=SSH,CN=Example/encryption' \ -u keyencipherment \ -C :p:test-ca-1.ca \ http://pki.ssh.com:8080/pkix/
If the certificate enrollment was left pending, that is, the certificate was not immediately accepted or rejected, the user must later poll for the result. For example, if the new enrollment request in the previous section was left pending, the response would have looked like this:
PKI transaction is pending. Poll again with the transaction ID 4114859265.
The certificate must be polled later with the given polling ID.
$$ ssh-cmpclient POLL \ -C :p:test-ca-1.ca \ -k initial.prv \ -c initial.crt \ -I 4114859265 \ http://pki.ssh.com:8080/pkix/
If the initial enrollment is to be polled, the pre-shared key must be used for authentication instead of the existing key/cert pair in the previous example.
$$ ssh-cmpclient POLL \ -C :p:test-ca-1.ca \ -p 62154:ssh \ -I 4121205509 \ http://pki.ssh.com:8080/pkix/
Revoking a Certificate
Continuing from the previous examples, let us assume that the initial certificate needs to be revoked (the certificate holder has lost the right to use the signature). The revocation request is made as follows.
$$ ssh-cmpclient REVOKE \ -c file://initial-0.crt -k file://pkcs8@/initial.prv \ -T initial-0.crt \ http://pki.ssh.com:8080/pkix/ \ 'C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities'
Recovering a Private Key
Continuing from the previous example, let us assume that the certificate holder has lost the private key, but we need to be able to use the key for decryption (for example, to decrypt e-mail). The key recovery is done as follows.
$$ ssh-cmpclient RECOVER \ -o recovered \ -c initial-0.crt -k file://pkcs8@/initial.prv \ -T encryption-0.crt \ http://pki.ssh.com:8080/pkix/ \ 'C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities'
[Front page] [Index]