Configure SSH Key Offloading

5min
Perform the following tasks to create a CA for the SSH key pair:
1 | Create a new X.509 certificate container
1
Open the  web dashboard in a browser.
2
Log in under dual-control using the administrator identities.
3
From the Service Management page, go to the Administrative Services tab.
4
Select PKI Management > Certificate Management.
5
Select [ Add CA ] at the bottom of the page or right-click anywhere in the window and select Add CA.
6
In the pop-up menu, specify the following information for the Certificate Container:
Name: Select SSH Key Offloading.
Host: Select None.
Type: Select X.509.
Owner group: In the drop-down menu, select the role automatically created for the SSH Key Offloading service you deployed.
7
Select [ OK ].
2 | Generate a new key pair for the SSH client
1
Right-click the X.509 certificate container you created and select Add Certificate > New Certificate.
2
In the Subject DN tab of the certificate creation wizard, select the Classic Preset in the drop-down menu and specify SSH as the Common Name for the certificate.
3
In the Basic Info tab, you can leave the values set to the defaults.
4
In the V3 Extensions tab, do not change the default value of None in the Profile drop-down list.
5
Select [ OK ] to finish creating the SSH client key pair.
3 | Create an approval group for PKI signing
1
From the Service Management page, go to the Administrative Services tab.
2
Select PKI Management > PKI Signing Approvals.
3
Select [ Add Approval Group ] at the bottom of the page or right-click anywhere in the window and select Add Approval Group.
4
Specify SSH as the Name for the approval group and select [ OK ].
5
Right-click the newly created approval group and select Permission.
6
In the first drop-down list, select the role automatically created for the SSH Key Offloading service you deployed, and select [ Add ].
7
In the Permission drop-down menu for the SSH Key Offloading role, select the Use permission.
8
Select [ Save ].
4 | Add an issuance policy to the SSH client certificate
1
From the Service Management page, select the Administrative Services tab.
2
Select PKI Management > Certificate Management.
3
Expand the SSH Key Offloading certificate container view by selecting the plus (+) icon next to it.
4
Right-click the SSH certificate and select Issuance Policy > Add.
5
In the Basic Info tab, configure the following settings:
Approvals: Select 0. The Zero approval policy requires Anonymous Signing security usage displays. Step sets this.
Allowed hashes: Select SHA-512.
6
In the X.509 tab, set the Default approval group to SSH.
7
In the Object Signing tab, select the Allow object signing checkbox.
8
Select [ OK ] to apply the Issuance Policy to the SSH client certificate.
9
Right-click the SSH certificate and select Change Security Usage.
10
In the Security Usage drop-down menu, select Anonymous Signing.
11
Select [ OK ] to apply the change.
5 | Export the public key for the SSH client key pair
1
From the Service Management page, select the Administrative Services tab.
2
Select PKI Management > Certificate Management.
3
Expand the SSH Key Offloading certificate container view by selecting the plus (+) icon next to it.
4
Right-click the SSH certificate and select Export > Public Key(s).
5
Choose a filename for web transfer and select [ OK ].
6
Select [ OK ] to close the confirmation dialog.
Your browser prompts you to save locally the public keys zip file the  generated.
﻿
Install and configure Futurex PKCS #11
Configure the SSH server and client