 |
Index for
Section 1 |
|
 |
Alphabetical
listing for S |
|
 |
Bottom of
page |
|
ssh-certenroll2(1)
NAME
ssh-certenroll2, ssh-certenroll - Certificate enrollment client
SYNOPSIS
ssh-certenroll2 [-V] [-S SOCKS-server] [-P proxy-url] [-g] [-t rsa | dsa]
[-l key-size] [-o base-name] [-p cmp-ref-num:cmp-key] [-e] -a ca-access-
url -s subject-name ca-cert-file [-private-key] [-u number]
OPTIONS
-V Prints the version string and exits.
-S SOCKS-server
Specifies the SOCKS server URL to be used when connecting to the
certification authority.
-P proxy-url
Specifies the HTTP proxy server URL to be used when connecting to the
certification authority.
-g Generates a new private key.
-t rsa|dsa
Specifies the type of key to be generated. Valid types are rsa or dsa.
The default is rsa.
-l key-size
Specifies the size of the key to be generated (in bits) with -g. The
default is 1024.
-o base-name
Specifies the base prefix of the generated files. The private key, if
generated, will be <base>.prv and the certificate will be <base>-
num.crt .
-p cmp-ref-num:cmp-key
Specifies the CMP enrollment reference number and key (the preshared
secret).
-e Enables the extensions in the subject name. If, for example, ip, dns,
or email extensions are used, the -e option must be present.
-a ca-access-url
Specifies the full URL to the certification authority.
-s subject-dn-name ca-cert-file
Specifyies the subject name for the certificate. For example,
c=ca,o=acme,ou=development,cn=Rami Romi would specify the common user
name "Rami Romi" in the organizational unit "development" in the
organization "acme" in Canada ("ca"). If extensions such as e-mail are
needed, the subject name could look like this:
c=ca,o=acme,ou=development,cn=Rami Romi;email=rami_romi@acme.ca
In this case, the -e option is required to enable subject name
extentions. Some possible extentions include ip, dns, and email.
-u number
Optionally gives the key usage bits.
DESCRIPTION
The ssh-certenroll2 command allows users to enroll certificates. It will
connect to a certification authority (CA) and use the CMPv2 protocol for
enrolling a certificate. The user can supply an existing private key when
creating the certification request or allow a new key to be generated.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
EXAMPLES
1. Enroll a certificate and generate a DSA private key:
ssh-certenroll2 -g -t dsa -o mykey -p 12345:abcd -S
socks://fw.myfirm.com:1080 -a http://www.ca-auth.domain:8080/pkix/ -s
"c=fi,o=acme,cn=Rami Romi" ca-certificate.crt
This will generate a private key called mykey.prv and a certificate
called mykey-0.crt.
2. Enroll a certificate using a supplied private key and provide an e-
mail extension:
ssh-certenroll2 -o mykey -p 12345:ab -a http://www.ca-
auth.domain:8080/pkix/ -s "c=ca,o=acme,cn=Rami Romi;email=rami@acme.ca" ca-
certificate.crt my_private_key.prv
This will generate and enroll a certificate called mykey-0.crt.
ENVIRONMENT VARIABLES
SSH_SOCKS_SERVER
Specifies the SOCKS server (if any) to use when connecting to the
certification authority. See ssh2 for the format of this variable.
FILES
$SERVER_DIR/ssh2/ssh2_config
Used for the "SocksServer" option only.
$HOME/.ssh2/ssh2_config
Used for the "SocksServer" option only..
SEE ALSO
Guides: Security Administration
|
Index for
Section 1 |
|
|
Alphabetical
listing for S |
|
 |
Top of
page |
|