Configure SSH Key Offloading

6min

perform the following tasks to create a ca for the ssh key pair create a new x 509 certificate container generate a new key pair for the ssh client create an approval group for pki signing add an issuance policy to the ssh client certificate export the public key for the ssh client key pair create a certificate container perform the following steps to create a new x 509 certificate container open the {{ch}} web dashboard in a browser log in under dual control using the administrator identities from the service management page, go to the administrative services tab select pki management > certificate management select \[ add ca ] at the bottom of the page or right click anywhere in the window and select add ca in the pop up menu, specify the following information for the certificate container name select ssh key offloading host select none type select x 509 owner group in the drop down menu, select the role automatically created for the ssh key offloading service you deployed select \[ ok ] generate a key pair perform the following steps to generate a new key pair for the ssh client right click the x 509 certificate container you created and select add certificate > new certificate in the subject dn tab of the certificate creation wizard, select the classic preset in the drop down menu and specify ssh as the common name for the certificate in the basic info tab, you can leave the values set to the defaults in the v3 extensions tab, do not change the default value of none in the profile drop down list select \[ ok ] to finish creating the ssh client key pair create an approval group perform the following steps to create an approval group for pki signing from the service management page, go to the administrative services tab select pki management > pki signing approvals select \[ add approval group ] at the bottom of the page or right click anywhere in the window and select add approval group specify ssh as the name for the approval group and select \[ ok ] right click the newly created approval group and select permission in the first drop down list, select the role automatically created for the ssh key offloading service you deployed, and select \[ add ] in the permission drop down menu for the ssh key offloading role, select the use permission select \[ save ] add an issuance policy perform the following steps to add an issuance policy to the ssh client certificate from the service management page, select the administrative services tab select pki management > certificate management expand the ssh key offloading certificate container view by selecting the plus (+) icon next to it right click the ssh certificate and select issuance policy > add in the basic info tab, configure the following settings approvals select 0 the zero approval policy requires anonymous signing security usage displays step sets this allowed hashes select sha 512 in the x 509 tab, set the default approval group to ssh in the object signing tab, select the allow object signing checkbox select \[ ok ] to apply the issuance policy to the ssh client certificate right click the ssh certificate and select change security usage in the security usage drop down menu, select anonymous signing select \[ ok ] to apply the change export the public key perform the following steps to export the public key for the ssh client key pair from the service management page, select the administrative services tab select pki management > certificate management expand the ssh key offloading certificate container view by selecting the plus ( + ) icon next to it right click the ssh certificate and select export > public key(s) choose a filename for web transfer and select \[ ok ] select \[ ok ] to close the confirmation dialog your browser prompts you to save locally the public keys zip file the {{ch}} generated

Install and configure Futurex PKCS #11

Configure the SSH server and client