x509 cert chain

Erwin Himawan ehimawan at gmail.com
Sun Oct 31 14:23:17 EST 2010

I was able to patch openssh using Roumen Petrovs'
I was able to perform x509 mutual authentication between the client and 
I was also able to perform CRL verfication/
However, My CA has oly one leve; I.e. RootCA issues certificate to openssh 
daemon and openSSH client.
Due to time constraint, I have not tried multi-level CA like yours.  I am 
still interested to try multi-level CA.

So, If you want, send me your daemon config file, client config file, and 
client's known host and daeom's knowhost files.
I can take a look into your config file and help you troubleshoot.


From: "Paul Bradley" <paul.bradley.listmail at gmail.com>
Sent: Saturday, October 30, 2010 4:15 AM
To: <openssh-unix-dev at mindrot.org>
Subject: Re: x509 cert chain

> Sorry for the followup - I forgot something:
> I'd also like to know how I get an x509 certificate into the server for it
> to use as it's host key, so both the host and users can verify each other
> using the same CA.
> thanks
> Paul
> On Sat, Oct 30, 2010 at 10:11 AM, Paul Bradley <
> paul.bradley.listmail at gmail.com> wrote:
>> Hi,
>> I am trying to set up OpenSSH with x509 certs and I'm getting nowhere. 
>> I've
>> been at this on and off for days and doing all the googling I can but I'm
>> still not making progress so any help would be very much appreciated. I
>> believe the latest OpenSSH builds support x509 certificates - I'm running
>> 5.5 on Ubuntu 10.04.
>> What I want to do is have users on Windows boxes using PuttySC or similar
>> (suggestions welcome) log in without needing to enter a 
>> username/password,
>> using an x509 certificate stored on a smartcard / token.
>> The user identities already exist (x509 certs + private keys) and there 
>> is
>> a multi-level CA structure. It's a simple one though:    ROOT CA -> 
>> How do I configure OpenSSH to allow logins from users who have 
>> certificates
>> signed by the trusted issuing CA at the end of the chain above. 
>> Presumably
>> the server needs the whole CA chain and I've tried cat'ing the .pem files
>> for the CA certificates together and copying the result to a file that 
>> I've
>> pointed to with CACertificateFile in sshd_config.
>> In the authorized_keys I've got:
>> x509v3-sign-rsa subject= /C=COUNTRY/ST=STATE/O=ORGANIZATION/OU=OU/CN=CN 
>> ie.
>> the DN of the ROOT CA certificate - should this instead be the issuing 
>> CA?
>> Generally any pointers would be very helpful, I've found Roumen Petrovs
>> patches and read some of his stuff but I find it a bit difficult to 
>> follow
>> and in any case I'm not sure how relevant his implementation is to the
>> mainline openssh 5.4/5.5 x509.
>> Thanks
>> Paul
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev 

More information about the openssh-unix-dev mailing list