Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Using OpenSSL to Generate a Certificate Request and Configuring Certificate Authentication for F-Secure SSH Server for UNIX
Technical Note 1936
Last Reviewed 01-Dec-2005
Applies To
F-Secure SSH Server for UNIX version 5.x
Summary

You can use digital certificates to establish secure connections with PKI (Public Key Infrastructure). This technical note outlines how to create and obtain a certificate, import it to the server, and properly configure the server to use certificate authentication.

Overview of Certificate Authentication for Servers

Rather than using public keys to authenticate your session, you can use certificates that authenticate the server during the Diffie-Hellman key exchange:

  1. The server sends its certificate to the client.
  2. The client verifies the certificate was signed by a valid Certificate Authority (CA).
  3. The client verifies that the certificate has the fully qualified domain name of the server.
  4. The client uses the challenge command to verify the private key of the server.

To have fully-enabled certificate authentication, both the server and the client must be configured for certificate authentication. However you can opt for server-only or client-only certificate authentication, depending on the needs of your environment. This technical note explains how to configure the F-Secure server. For information about the F-Secure client configuration, see Technical Note 1931.

OpenSSL Example

The steps in this note reflect that OpenSSL on a UNIX server is used to generate the certificate request. You may, however, choose to use a different application to generate the certificate request.

Preliminary Steps

Before you obtain the server certificate, you must verify the server's fully qualified domain name (FQDN) and modify the openssl.cnf file.

Verify the Server Hostname

To verify the host FQDN, at the command line enter the command

hostname

It should display the FQDN, for example:

myHost.myCo.com

You will enter the FQDN in the subjectAltName in the openssl.cnf file. If the hostname command does not display the FQDN, please review your host documentation for further information.

Modify Openssl.cnf to Generate Certificate Request with FQDN

Prior to generating the server certificate, the openssl.cnf file must be modified to enable version three extensions for the certificate request. This modification enables you to enter the FQDN for the server, which is required for a successful connection.

  1. Open the server file, openssl.cnf, for editing.
  2. Locate the following line (commented by default) under the [ req ] section of openssl.cnf:
# req_extensions = v3_req # The extensions to add to a certificate request
  1. Uncomment the following line:
req_extensions = v3_req # The extensions to add to a certificate request
  1. Locate the [ v3_req ] section of openssl.cnf and add the following line (replace myHost.myCo.com with the FQDN of your host):
subjectAltName=DNS:myHost.myCo.com
  1. Save the file and verify that the changes were made.

Obtain the Required Server Certificate

Follow the steps below to obtain the server certificate.

  1. Generate the RSA private key (privkey) and pkcs10 request (request.pkcs10) with the command:
openssl req –newkey rsa:2048 –out request.pkcs10 –keyout privkey

Note the password you enter when prompted; you will use it in step 5 in the following section.

This command creates two files (privkey and request.pkcs10) in your current folder.

  1. Send the resulting pkcs10 package (the request.pkcs10 file) to a Certificate Authority for signing. The package is an ASCII file that you can view in Notepad; it is simply a request for a certificate based on the key generated in step 1.

If you choose to submit the request by cutting and pasting the text into the CA’s pkcs10 request form, be certain to copy the entire text including

-----BEGIN CERTIFICATE-----

and

-----END CERTIFICATE-----
  1. Obtain the root CA certificate from your Certificate Authority provider. This file must be in Base-64 encoded X.509 (CER) format. If you are unsure of its format, import the certificate to Internet Explorer’s certificate store and then export it as a Base-64 file.

Configure the Server to Use Certificate Authentication

Follow the steps below to configure the server to use certificate authentication.

  1. On the server, create a folder under /etc/ssh2 called pki.
  2. Upload the root CA certificate in binary format to the server folder /etc/ssh2/pki.
  3. After you receive your CA-signed server certificate, upload it in binary format to the /etc/ssh2 folder. Depending on the CA used, the certificate may be in a "Base-64 encoded" or ".pem" format. Either format is acceptable.

Note: Do not use DER encoded binary for this step.

  1. Next, create the pkcs12 package from which the private key (in SSH2 format) and the CA-signed server certificate are extracted.

Execute the following command, replacing <myReceivedCert> with the certificate you received in step 6:

openssl pkcs12 –export –inkey privkey –in <myReceivedCert> –out exported.pkcs12

This command creates a file called exported.pkcs12 in your current folder.

  1. Now extract the private key (in SSH2 format) and server certificate with the command:
ssh-keygen –k exported.pkcs12

Note the following (when prompted):

    • Replace myPassword with the password you noted in step 1
    • Do not assign a passphrase to the private key when prompted; leave it blank. If you assign a passphrase, the sshd daemon cannot restart.

For example:

[root@myHost]# ssh-keygen2 -k exported.pkcs12
Password needed for PFX integrity check : myPassword
Integrity check ok.
Safe decrypted successfully.
Got certificate.
Certificate written to file exported.pkcs12_ssh2.crt
Password needed for decrypting the private key : myPassword
Got shrouded key.
New passphrase for private key : <leave blank>
Again                          : <leave blank>

Successfully saved private key to exported.pkcs12_ssh2

This command generates two files:

exported.pkcs12_ssh2.crt (the server certificate)

exported.pkcs12_ssh2 (the server private key)

Note: In some cases the public certificate (*.crt) will be named exported.pkcs12-1_ssh2.crt. If it is, rename it to remove the -1. For example, exported.pkcs12_ssh2.crt.

  1. Modify and add the following lines in the sshd2_config file:

Under ## General, add the following lines:

HostKeyFile exported.pkcs12_ssh2
HostCertificateFile exported.pkcs12_ssh2.crt

Under ## Authentication, add the comment and modify the second line, replacing md5 with sha1:

## Define certs as having sha1 hash, not md5 - Administrator
Cert.RSA.Compat.HashScheme sha1

Add the following section:

## PKI Information
Pki /etc/ssh2/pki/myCARootCert.crt
  1. Save the sshd2_config file.
  2. Stop and restart the sshd2 daemon.
Related Technical Notes
1931 Using OpenSSL to Generate Certificate Requests and Configuring Certificate Authentication for F-Secure SSH Clients

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.