Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Perform the following tasks to create a CA for the SSH key pair:
  1. Create a new X.509 certificate container.
  2. Generate a new key pair for the SSH client.
  3. Create an approval group for PKI signing
  4. Add an issuance policy to the SSH client certificate.
  5. Export the public key for the SSH client key pair.

Create a certificate container

Perform the following steps to create a new X.509 certificate container:
1
Open the CryptoHub web dashboard in a browser.
2
Log in under dual-control using the administrator identities.
3
From the Service Management page, go to the Administrative Services tab.
4
Select PKI Management > Certificate Management.
5
Select [ Add CA ] at the bottom of the page or right-click anywhere in the window and select Add CA.
6
In the pop-up menu, specify the following information for the Certificate Container:
  • Name: Select SSH Key Offloading.
  • Host: Select None.
  • Type: Select X.509.
  • Owner group: In the drop-down menu, select the role automatically created for the SSH Key Offloading service you deployed.
7
Select [ OK ].

Generate a key pair

Perform the following steps to generate a new key pair for the SSH client:
1
Right-click the X.509 certificate container you created and select Add Certificate > New Certificate.
2
In the Subject DN tab of the certificate creation wizard, select the Classic Preset in the drop-down menu and specify SSH as the Common Name for the certificate.
3
In the Basic Info tab, you can leave the values set to the defaults.
4
In the V3 Extensions tab, do not change the default value of None in the Profile drop-down list.
5
Select [ OK ] to finish creating the SSH client key pair.

Create an approval group

Perform the following steps to create an approval group for PKI signing:
1
From the Service Management page, go to the Administrative Services tab.
2
Select PKI Management > PKI Signing Approvals.
3
Select [ Add Approval Group ] at the bottom of the page or right-click anywhere in the window and select Add Approval Group.
4
Specify SSH as the Name for the approval group and select [ OK ].
5
Right-click the newly created approval group and select Permission.
6
In the first drop-down list, select the role automatically created for the SSH Key Offloading service you deployed, and select [ Add ].
7
In the Permission drop-down menu for the SSH Key Offloading role, select the Use permission.
8
Select [ Save ].

Add an issuance policy

Perform the following steps to add an issuance policy to the SSH client certificate:
1
From the Service Management page, select the Administrative Services tab.
2
Select PKI Management > Certificate Management.
3
Expand the SSH Key Offloading certificate container view by selecting the plus (+) icon next to it.
4
Right-click the SSH certificate and select Issuance Policy > Add.
5
In the Basic Info tab, configure the following settings:
  • Approvals: Select 0. The Zero approval policy requires Anonymous Signing security usage displays. Step sets this.
  • Allowed hashes: Select SHA-512.
6
In the X.509 tab, set the Default approval group to SSH.
7
In the Object Signing tab, select the Allow object signing checkbox.
8
Select [ OK ] to apply the Issuance Policy to the SSH client certificate.
9
Right-click the SSH certificate and select Change Security Usage.
10
In the Security Usage drop-down menu, select Anonymous Signing.
11
Select [ OK ] to apply the change.

Export the public key

Perform the following steps to export the public key for the SSH client key pair:
1
From the Service Management page, select the Administrative Services tab.
2
Select PKI Management > Certificate Management.
3
Expand the SSH Key Offloading certificate container view by selecting the plus (+) icon next to it.
4
Right-click the SSH certificate and select Export > Public Key(s).
5
Choose a filename for web transfer and select [ OK ].
6
Select [ OK ] to close the confirmation dialog.
Your browser prompts you to save locally the public keys zip file the CryptoHub generated.