Configure SSH Key Offloading
Perform the following tasks to create a CA for the SSH key pair:
Open the web dashboard in a browser.
Log in under dual-control using the administrator identities.
From the Service Management page, go to the Administrative Services tab.
Select PKI Management > Certificate Management.
Select [ Add CA ] at the bottom of the page or right-click anywhere in the window and select Add CA.
In the pop-up menu, specify the following information for the Certificate Container:
- Name: Select SSH Key Offloading.
- Host: Select None.
- Type: Select X.509.
- Owner group: In the drop-down menu, select the role automatically created for the SSH Key Offloading service you deployed.
Select [ OK ].
Right-click the X.509 certificate container you created and select Add Certificate > New Certificate.
In the Subject DN tab of the certificate creation wizard, select the Classic Preset in the drop-down menu and specify SSH as the Common Name for the certificate.
In the Basic Info tab, you can leave the values set to the defaults.
In the V3 Extensions tab, do not change the default value of None in the Profile drop-down list.
Select [ OK ] to finish creating the SSH client key pair.
From the Service Management page, go to the Administrative Services tab.
Select PKI Management > PKI Signing Approvals.
Select [ Add Approval Group ] at the bottom of the page or right-click anywhere in the window and select Add Approval Group.
Specify SSH as the Name for the approval group and select [ OK ].
Right-click the newly created approval group and select Permission.
In the first drop-down list, select the role automatically created for the SSH Key Offloading service you deployed, and select [ Add ].
In the Permission drop-down menu for the SSH Key Offloading role, select the Use permission.
Select [ Save ].
From the Service Management page, select the Administrative Services tab.
Select PKI Management > Certificate Management.
Expand the SSH Key Offloading certificate container view by selecting the plus (+) icon next to it.
Right-click the SSH certificate and select Issuance Policy > Add.
In the Basic Info tab, configure the following settings:
- Approvals: Select 0. The Zero approval policy requires Anonymous Signing security usage displays. Step sets this.
- Allowed hashes: Select SHA-512.
In the X.509 tab, set the Default approval group to SSH.
In the Object Signing tab, select the Allow object signing checkbox.
Select [ OK ] to apply the Issuance Policy to the SSH client certificate.
Right-click the SSH certificate and select Change Security Usage.
In the Security Usage drop-down menu, select Anonymous Signing.
Select [ OK ] to apply the change.
From the Service Management page, select the Administrative Services tab.
Select PKI Management > Certificate Management.
Expand the SSH Key Offloading certificate container view by selecting the plus (+) icon next to it.
Right-click the SSH certificate and select Export > Public Key(s).
Choose a filename for web transfer and select [ OK ].
Select [ OK ] to close the confirmation dialog.
Your browser prompts you to save locally the public keys zip file the generated.