Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Using ssh-ca-tool

The most common use cases are described in this section.

  • Resetting Database Time Stamp

    When SSH Tectia Certifier is running, it will time-stamp the Database in regular intervals. When starting, the current time is compared to last time that the Database was used. If too large a discrepancy is found, ssh-ca-engine will not start. In this case the operator can verify if this is an actual error (possibly a skewed system clock). If all seems to be in order, use the following command to fix the time stamp in the Database to the current system time:

    ssh-ca-tool -T

  • Creating Certificates

    Normally certificates can be created using the SSH Tectia Certifier Administration GUI, but also ssh-ca-tool can be used for this.

    The following command reads a given configuration file and creates a certificate matching that description. Both the created certificate and its private key can be written to files.

    ssh-ca-tool -g configuration-file

    The following is an example of a configuration file:

     (type "pkcs-10")
     (subject-name "C=FI, O=SSH, CN=Certificate generated with ssh-ca-tool.")
     (validity (not-before "2000/01/01 00:00:00")
               (not-after  "2001/01/01 00:00:00"))
     (extensions (subject-altnames (email "xxx@yyy")
                                   (ip "")
                                   (dns ""))
                 (key-usage (digital-signature "#t")
                            (data-encipherment "#t")
                            (key-cert-sign "#t")
                            (crl-sign "#t")
                            (critical "#f"))
                 (basic-constraints (path-length "2")
                                    (ca "#t")
                                    (critical "#t"))
                 (extended-key-usage (oid "")))
     (private-key (type "if-modn")
                  (size "1024")
                  (signature-alg "rsa-pkcs1-md5")
                  (encrypt-alg "rsa-pkcs1-none")))
    ;; Issuer name. Can be left out in which case a self signed certificate
    ;; is created.  (issuer number) gives issuer data as object id instead.
    (issuer-name "Test 42")
    ;; Output files for certificate and private key.
    (output (certificate "test-cert.bin")
            (private-key "test-cert.prv"))

    The file format is the same ASL format as is used internally by SSH Tectia Certifier. The format is mostly self-explanatory. The issuer can be defined with its short, symbolic name, using the issuer-name keyword, or with an internal database identifier, using the issuer keyword. If desired, either the certificate or the private key (or both) can be written to the files defined in the output section. The certificate is stored as a DER-encoded binary file. The private key is currently stored in internal binary format.

  • Feeding Random Data from External Source

    SSH Tectia Certifier stores random state in the Database and constantly adds more random noise to it from user input and network packets. Using the following command some external random noise from file can be mixed to the random state that is stored in the Database.

    ssh-ca-tool -r file

  • Database Dumping

    Database state can be read out in ASL format. This is done with the following command:

    ssh-ca-tool -b [cas|log|certificates|requests|entities]

    The requested objects (given as parameters) are written to standard out.

    The CA certificate and its private key can also be exported to a file. This can be done with the command:

    ssh-ca-tool -C ca-name [certificate|privatekey|configuration] 

    The ca-name is the short name of the CA in the Database. Second parameter selects either certificate, private key, or configuration data to be exported and last parameter is the target file name. The certificate will be written as DER-encoded binary data, the private key in internal data format, and the configuration as a readable text file.

  • Purge Obsolete Data

    In some cases there can be large amounts of obsolete data in the Database. Old requests and CRLs can consume large amounts of storage space. Usually storing these objects is necessary, for example to check old revocation information. However, if these objects are seldom needed and full backups are made, it is not necessary to keep them in the active Database.

    Old objects in running Database can be removed with the command:

    ssh-ca-tool -o [request|crl|log|certificate] months

    The first parameter is the object type to be purged and the second is an integer specifying a time limit in months. Only objects older than the time limit are removed. This check is based on receiving time stamp in requests, on issuing time in CRLs, and on the end of the validity period in certificates.

    This feature must be used with care, as deletion is irreversible. It is advisable to always back up the Database before using this command.

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now