> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure SSH Key Offloading

> Procedural steps to configure the Certificate Authority for SSH key pairs.

Perform the following tasks to create a CA for the SSH key pair:

1. Create a new X.509 certificate container.
2. Generate a new key pair for the SSH client.
3. Create an approval group for PKI signing
4. Add an issuance policy to the SSH client certificate.
5. Export the public key for the SSH client key pair.

## Create a certificate container

Perform the following steps to create a new X.509 certificate container:

<Steps>
  <Step>
    Open the CryptoHub web dashboard in a browser.
  </Step>

  <Step>
    Log in under dual-control using the administrator identities.
  </Step>

  <Step>
    From the **Service Management** page, go to the **Administrative Services** tab.
  </Step>

  <Step>
    Select **PKI Management** > **Certificate Management**.
  </Step>

  <Step>
    Select **\[ Add CA ]** at the bottom of the page or right-click anywhere in the window and select **Add CA**.
  </Step>

  <Step>
    In the pop-up menu, specify the following information for the Certificate Container:

    * **Name**: Select **SSH Key Offloading**.
    * **Host**: Select **None**.
    * **Type**: Select **X.509**.
    * **Owner group**: In the drop-down menu, select the role automatically created for the SSH Key Offloading service you deployed.
  </Step>

  <Step>
    Select **\[ OK ]**.
  </Step>
</Steps>

## Generate a key pair

Perform the following steps to generate a new key pair for the SSH client:

<Steps>
  <Step>
    Right-click the X.509 certificate container you created and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    In the **Subject DN** tab of the certificate creation wizard, select the **Classic** **Preset** in the drop-down menu and specify `SSH` as the **Common Name** for the certificate.
  </Step>

  <Step>
    In the **Basic Info** tab, you can leave the values set to the defaults.
  </Step>

  <Step>
    In the **V3 Extensions** tab, do not change the default value of **None** in the **Profile** drop-down list.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the SSH client key pair.
  </Step>
</Steps>

## Create an approval group

Perform the following steps to create an approval group for PKI signing:

<Steps>
  <Step>
    From the **Service Management** page, go to the **Administrative Services** tab.
  </Step>

  <Step>
    Select **PKI Management** > **PKI Signing Approvals**.
  </Step>

  <Step>
    Select **\[ Add Approval Group ]** at the bottom of the page or right-click anywhere in the window and select **Add Approval Group**.
  </Step>

  <Step>
    Specify `SSH` as the **Name** for the approval group and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the newly created approval group and select **Permission**.
  </Step>

  <Step>
    In the first drop-down list, select the role automatically created for the SSH Key Offloading service you deployed, and select **\[ Add ]**.
  </Step>

  <Step>
    In the **Permission** drop-down menu for the SSH Key Offloading role, select the **Use** permission.
  </Step>

  <Step>
    Select **\[ Save ]**.
  </Step>
</Steps>

## Add an issuance policy

Perform the following steps to add an issuance policy to the SSH client certificate:

<Steps>
  <Step>
    From the **Service Management** page, select the **Administrative Services** tab.
  </Step>

  <Step>
    Select **PKI Management** > **Certificate Management**.
  </Step>

  <Step>
    Expand the **SSH Key Offloading** certificate container view by selecting the plus (+) icon next to it.
  </Step>

  <Step>
    Right-click the **SSH** certificate and select **Issuance Policy** > **Add**.
  </Step>

  <Step>
    In the **Basic Info** tab, configure the following settings:

    * **Approvals**: Select **0**. The *Zero approval policy requires Anonymous Signing security usage* displays. Step sets this.
    * **Allowed hashes**: Select **SHA-512**.
  </Step>

  <Step>
    In the **X.509** tab, set the **Default approval group** to **SSH**.
  </Step>

  <Step>
    In the **Object Signing** tab, select the **Allow object signing** checkbox.
  </Step>

  <Step>
    Select **\[ OK ]** to apply the Issuance Policy to the SSH client certificate.
  </Step>

  <Step>
    Right-click the **SSH** certificate and select **Change Security Usage**.
  </Step>

  <Step>
    In the **Security Usage** drop-down menu, select **Anonymous Signing**.
  </Step>

  <Step>
    Select **\[ OK ]** to apply the change.
  </Step>
</Steps>

## Export the public key

Perform the following steps to export the public key for the SSH client key pair:

<Steps>
  <Step>
    From the **Service Management** page, select the **Administrative Services** tab.
  </Step>

  <Step>
    Select **PKI Management** > **Certificate Management**.
  </Step>

  <Step>
    Expand the **SSH Key Offloading** certificate container view by selecting the plus (**+**) icon next to it.
  </Step>

  <Step>
    Right-click the **SSH** certificate and select **Export** > **Public Key(s)**.
  </Step>

  <Step>
    Choose a filename for web transfer and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to close the confirmation dialog.

    <Check>
      Your browser prompts you to save locally the public keys zip file the CryptoHub generated.
    </Check>
  </Step>
</Steps>
