Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Using OpenSSL to Generate Certificate Requests and Configuring Certificate Authentication for F-Secure SSH Clients
Technical Note 1931
Last Reviewed 01-Dec-2005
Applies To
F-Secure SSH Client for Windows version 5.x
F-Secure SSH Client for UNIX version 5.x
Summary

You can use digital certificates to establish secure connections with PKI (Public Key Infrastructure). This technical note outlines how to create and obtain a certificate, import it to the F-Secure client, and properly configure the client to use certificate authentication.

Overview of Certificates for Client Authentication

Rather than using public keys to authenticate your session, you can use certificates that authenticate the client during the Diffie-Hellman key exchange:

  1. The client sends the user certificate (which includes the user public key) to the server.
  2. Using the Certificate Authority’s (CA) root certificate, the server checks that the user certificate is valid.
  3. The server checks its mapping file(s) to verify if login is allowed based on the user certificate presented.
  4. Finally, if the connection is allowed, the server verifies that the user has a valid private key by using a challenge.

To have fully-enabled certificate authentication, both the server and the client must be configured for certificate authentication. However you can opt for server-only or client-only certificate authentication, depending on the needs of your environment. This technical document covers configuring the client. For information about server configuration, see Technical Note 1936.

OpenSSL Example

The steps in this note reflect that OpenSSL on a UNIX server is used to generate the certificate request. You may, however, choose to use a different application to generate the certificate request.

Step I: Obtain the Required Client Certificate

Follow these steps to generate a certificate request and use it to obtain the client certificate from a Certificate Authority:

  1. Using OpenSSL, generate the RSA private key (privkey) and pkcs10 request (request.pkcs10) with the command:
openssl req –newkey rsa:2048 –out request.pkcs10 –keyout privkey

Note the password you enter when prompted; you will use it in step I-6.

This will create two files (privkey and request.pkcs10) in your current folder.

It is common practice to make the common name of the client certificate the user name, such as myUser.

  1. Send the resulting pkcs10 package (the request.pkcs10 file) to a CA for signing. The package is an ASCII file that you can open in Notepad and view; it is merely a request for a certificate based on the key generated in step I-1.

If you choose to submit the request by cutting and pasting the text into the CA’s pkcs10 request form, be certain to copy the entire text including the statements:

-----BEGIN CERTIFICATE-----

and

-----END CERTIFICATE-----
  1. Obtain the root CA certificate from your Certificate Authority provider. (You may already have this certificate if you have completed the steps in Technical Note 1936, Using OpenSSL to Generate Certificate Requests and Configuring Certificate Authentication for F-Secure SSH Server for UNIX.)This file must be in Base-64 encoded X.509 (CER) format. If you are unsure, import the certificate into Internet Explorer’s certificate store and then export it as a Base-64 file.
  2. Upload the root CA certificate in binary to the server’s /etc/ssh2/pki folder. (Note that this may already have been done.)
  3. You will receive your CA-signed client certificate in a "Base-64 encoded" or ".pem" format depending on the CA. Either format is acceptable. Note: Do not use DER encoded binary for this step.
  4. Create the pkcs12 package necessary to obtain the private and public key for the client.

Execute the following command, replacing <myReceivedCert> with the certificate you received in step I-5. (Enter the password you noted in step I-1, when prompted.)

openssl pkcs12 –export –inkey privkey –in <myReceivedCert> –out exported.pkcs12

This will create a file called exported.pkcs12 in your current folder.

  1. Extract the client’s private key (in SSH2 format) and certificate (this will prompt you for a new passphrase to give to the newly extracted private key):
ssh-keygen –k exported.pkcs12

This will generate two files: exported.pkcs12_ssh2.crt and exported.pkcs12_ssh2 (client’s certificate and client’s private key, respectively).

Note: In some cases the public certificate (*.crt) will be named exported.pkcs12-1_ssh2.crt. If it is, rename it to remove the -1: exported.pkcs12_ssh2.crt.

  1. Create a user.map file using the ssh-certview command as follows, where myClientCert is the client certificate public key (exported.pkcs12_ssh2.crt in step I-7 above):
ssh-certview –c <myClientCert> > user.map

Copy the user.map file to the /etc/ssh2/pki folder.

  1. Edit the user.map file you just created, replacing the two (account) values with the user name (myUser in the example below) you entered in the common name of the certificate in step I-1:
# Certificate myUser.crt
# Certificate issuer ........... : C=US, O=WRQ CN=
WRQ Certificate Authority
# Certificate serial number .... : 83726187
# Certificate subject .......... : C=US, ST=Washington,L=Seattle, O=AttachmateWRQ, OU=Support, CN=myUser
#
myUser SerialAndIssuer 83726187 C=US, O=AttachmateWRQ CN=
AttachmateWRQ Certificate Authority
myUser Subject C=US, ST=Washington, L=Seattle, O=AttachmateWRQ, OU=Support, CN=myUser
  1. Using binary format, transfer the client certificate and private key created in step I-7 and the CA’s root certificate obtained in step I-3 to the user’s PC.
  2. Open the server file sshd2_config for editing and add the following lines:
## PKI Information
Pki /etc/ssh2/pki/myCARootCert.crt
MapFile /etc/ssh2/pki/user.map
PkiDisableCRLs yes

Note the following:

    • myCARootCert.crt should match the name of the file you obtained from your Certificate Authority in step I-3 above.
    • PkiDisableCRLs should be set to "yes" only while testing.

Step II: Installing the Certificates to the Client

You can install certificates to the F-Secure SSH Client for Windows or the Client for UNIX.

Installing the Certificates to the F-Secure SSH Client for Windows
Installing the Certificates to the F-Secure SSH Client for UNIX

Installing the Certificates to the F-Secure SSH Client for Windows

Follow the steps below to install the certificates to the F-Secure SSH Client for Windows version 5.x:

  1. Import the client certificate and private key:
    1. Open the F-Secure client.
    2. Click Edit > Settings.
    3. Expand the PKI tree, and click Certificates to open the Personal Certificates panel:
View Full Size
1931_0.gif
    1. Click Import and browse to your client certificate. This is the file created in step I-7; in our example, exported.pkcs12_ssh2.crt. The private key must be in the same folder for the import to work properly. A message that both certificate and private keys were imported successfully should display.
    2. The "Disable CRL checking" check box should be selected only while testing.
  1. Import the trusted root CA certificate.
    1. Click the Trusted Certification Authorities tab.
View Full Size
1931_1.gif
    1. Click Import and browse to the trusted root CA certificate you obtained in step I-3.
    2. The "Disable CRL checking" check box should be selected only while testing.
    3. Click OK.

Make a Secure Connection with Certificate Authentication

Follow these steps to make a secure connection with certificate authentication using the F-Secure SSH Client for Windows:

  1. Open the F-Secure client.
  2. Click Edit > Settings.
  3. Under Profile, click Connection > Authentication.
  4. Under Authentication Methods, select Public Key (as shown below). You may need to use the arrows to move it to the top, or remove all other methods you are not using.
  5. Under Public-Key Authentication Methods, select User Certificates and using the arrows, move it to the top of the list as shown below:
View Full Size
1931_2.gif
  1. Click OK.
  2. Click File > Connect and enter the appropriate values for your Host and User Name as shown in the example below:
1931_3.gif
  1. Click Connect.
  2. The following dialog box opens:
1931_4.gif
  1. Enter the passphrase for your private key created in step I-7.
  2. Click OK.

You should successfully connect to the host.

Installing the Certificates to the F-Secure SSH Client for UNIX

If you have the client for UNIX, follow these steps to install the certificates:

  1. Using binary transfer, upload the exported.pkcs12 file created in step I-6 into your user’s $HOME/.ssh2 folder.
  2. Change to the $HOME/.ssh2 folder.
  3. Extract the client’s private key (in SSH2 format) and certificate (which will prompt you for a new passphrase to give to the newly extracted private key) using the command:
ssh-keygen –k exported.pkcs12

This will generate two files; exported.pkcs12_ssh2.crt and exported.pkcs12_ssh2. (These files are your client’s certificate and client’s private key, respectively).

Note: In some cases the public certificate (*.crt) will be named exported.pkcs12-1_ssh2.crt. If it is, rename it to remove the -1: exported.pkcs12_ssh2.crt.

  1. Open the identification file under the $HOME/.ssh2 folder for editing (you may need to create this file if this is a new install) and add the line:
CertKey <myUserPrivateKey>

For example:

Certkey exported.pkcs12_ssh2

The certificate itself will be read from the same location where the private key is installed. In the example, it is located in the user’s home /.ssh2 folder.

  1. Note: If you created and edited a user.map file in steps I-8 and I-9, skip this step and the next, and proceed to step 7 below.

Create a user.map file for the client certificate using the ssh-certview command:

ssh-certview –c <myClientCert> > user.map

For example:

ssh-certview –c client_ssh2.crt > user.map
  1. Edit the user.map file you just created, replacing the two (account) values (myUser in the example below) with the user name you entered in the common name of the certificate in step I-1:
# Certificate myUser.crt
# Certificate issuer ........... : C=US, O=WRQ CN=WRQ Certificate Authority
# Certificate serial number .... : 83726187
# Certificate subject .......... : C=US, ST=Washington,L=Seattle, O=AttachmateWRQ, OU=Support, CN=myUser
#
myUser SerialAndIssuer 83726187 C=US, O=AttachmateWRQ CN=AttachmateWRQ Certificate Authority
myUser Subject C=US, ST=Washington, L=Seattle, O=AttachmateWRQ, OU=Support, CN=myUser
  1. Using binary transfer, upload the user.map file to the UNIX server where the client will be connecting. Copy the file to the /etc/ssh2/pki folder.
  2. On the client, you will also need to obtain the root CA certificate from the Certificate Authority provider. For the example, the CA root certificate is named " myCARootCert.crt" and is copied and saved to the /etc/ssh2/pki folder.

Note: If the /pki folder does not exist, you must create it.

  1. Also on the client, edit the ssh2_config file by adding the following two lines:
AllowedAuthentications publickey
HostCA /etc/ssh2/pki/myCARootCert.crt

Note: You can disable CRL checking by replacing the keyword HostCA with the keyword HostCANoCrls. For example,

HostCANoCrls /etc/ssh2/pki/myCARootCert.crt
  1. Save the ssh2_config file.

Make a Secure Connection with Certificate Authentication

To make a secure connection with certificate authentication using the F-Secure SSH Client for UNIX, simply log in to your host using the <username>@<host> command.

Related Technical Notes
1936 Using OpenSSL to Generate a Certificate Request and Configuring Certificate Authentication for F-Secure SSH Server for UNIX

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.