SSH
SSH Key Offloading

Configure SSH Key Offloading

5min

Perform the following tasks to create a CA for the SSH key pair:

1 | Create a new X.509 certificate container

1

Open the web dashboard in a browser.

2

Log in under dual-control using the administrator identities.

3

From the Service Management page, go to the Administrative Services tab.

4

Select PKI Management > Certificate Management.

5

Select [ Add CA ] at the bottom of the page or right-click anywhere in the window and select Add CA.

6

In the pop-up menu, specify the following information for the Certificate Container:

  • Name: Select SSH Key Offloading.
  • Host: Select None.
  • Type: Select X.509.
  • Owner group: In the drop-down menu, select the role automatically created for the SSH Key Offloading service you deployed.
7

Select [ OK ].

2 | Generate a new key pair for the SSH client

1

Right-click the X.509 certificate container you created and select Add Certificate > New Certificate.

2

In the Subject DN tab of the certificate creation wizard, select the Classic Preset in the drop-down menu and specify SSH as the Common Name for the certificate.

3

In the Basic Info tab, you can leave the values set to the defaults.

4

In the V3 Extensions tab, do not change the default value of None in the Profile drop-down list.

5

Select [ OK ] to finish creating the SSH client key pair.

3 | Create an approval group for PKI signing

1

From the Service Management page, go to the Administrative Services tab.

2

Select PKI Management > PKI Signing Approvals.

3

Select [ Add Approval Group ] at the bottom of the page or right-click anywhere in the window and select Add Approval Group.

4

Specify SSH as the Name for the approval group and select [ OK ].

5

Right-click the newly created approval group and select Permission.

6

In the first drop-down list, select the role automatically created for the SSH Key Offloading service you deployed, and select [ Add ].

7

In the Permission drop-down menu for the SSH Key Offloading role, select the Use permission.

8

Select [ Save ].

4 | Add an issuance policy to the SSH client certificate

1

From the Service Management page, select the Administrative Services tab.

2

Select PKI Management > Certificate Management.

3

Expand the SSH Key Offloading certificate container view by selecting the plus (+) icon next to it.

4

Right-click the SSH certificate and select Issuance Policy > Add.

5

In the Basic Info tab, configure the following settings:

  • Approvals: Select 0. The Zero approval policy requires Anonymous Signing security usage displays. Step sets this.
  • Allowed hashes: Select SHA-512.
6

In the X.509 tab, set the Default approval group to SSH.

7

In the Object Signing tab, select the Allow object signing checkbox.

8

Select [ OK ] to apply the Issuance Policy to the SSH client certificate.

9

Right-click the SSH certificate and select Change Security Usage.

10

In the Security Usage drop-down menu, select Anonymous Signing.

11

Select [ OK ] to apply the change.

5 | Export the public key for the SSH client key pair

1

From the Service Management page, select the Administrative Services tab.

2

Select PKI Management > Certificate Management.

3

Expand the SSH Key Offloading certificate container view by selecting the plus (+) icon next to it.

4

Right-click the SSH certificate and select Export > Public Key(s).

5

Choose a filename for web transfer and select [ OK ].

6

Select [ OK ] to close the confirmation dialog.

Your browser prompts you to save locally the public keys zip file the generated.