x509 cert chain
ehimawan at gmail.com
Sun Oct 31 14:23:17 EST 2010
I was able to patch openssh using Roumen Petrovs'
I was able to perform x509 mutual authentication between the client and
I was also able to perform CRL verfication/
However, My CA has oly one leve; I.e. RootCA issues certificate to openssh
daemon and openSSH client.
Due to time constraint, I have not tried multi-level CA like yours. I am
still interested to try multi-level CA.
So, If you want, send me your daemon config file, client config file, and
client's known host and daeom's knowhost files.
I can take a look into your config file and help you troubleshoot.
From: "Paul Bradley" <paul.bradley.listmail at gmail.com>
Sent: Saturday, October 30, 2010 4:15 AM
To: <openssh-unix-dev at mindrot.org>
Subject: Re: x509 cert chain
> Sorry for the followup - I forgot something:
> I'd also like to know how I get an x509 certificate into the server for it
> to use as it's host key, so both the host and users can verify each other
> using the same CA.
> On Sat, Oct 30, 2010 at 10:11 AM, Paul Bradley <
> paul.bradley.listmail at gmail.com> wrote:
>> I am trying to set up OpenSSH with x509 certs and I'm getting nowhere.
>> been at this on and off for days and doing all the googling I can but I'm
>> still not making progress so any help would be very much appreciated. I
>> believe the latest OpenSSH builds support x509 certificates - I'm running
>> 5.5 on Ubuntu 10.04.
>> What I want to do is have users on Windows boxes using PuttySC or similar
>> (suggestions welcome) log in without needing to enter a
>> using an x509 certificate stored on a smartcard / token.
>> The user identities already exist (x509 certs + private keys) and there
>> a multi-level CA structure. It's a simple one though: ROOT CA ->
>> CA -> ISSUING CA -> USER CERTIFICATE
>> How do I configure OpenSSH to allow logins from users who have
>> signed by the trusted issuing CA at the end of the chain above.
>> the server needs the whole CA chain and I've tried cat'ing the .pem files
>> for the CA certificates together and copying the result to a file that
>> pointed to with CACertificateFile in sshd_config.
>> In the authorized_keys I've got:
>> x509v3-sign-rsa subject= /C=COUNTRY/ST=STATE/O=ORGANIZATION/OU=OU/CN=CN
>> the DN of the ROOT CA certificate - should this instead be the issuing
>> Generally any pointers would be very helpful, I've found Roumen Petrovs
>> patches and read some of his stuff but I find it a bit difficult to
>> and in any case I'm not sure how relevant his implementation is to the
>> mainline openssh 5.4/5.5 x509.
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev