Use this command to establish the list of trusted CA certificates used during PKI authentication of a user‘s X.509 certificate.
| pki-cert-list | Specifies a named list of certificates using set pki certificate. |
None.
All command modes.
This command establishes the list of trusted CA certificates which are used during PKI authentication of a user‘s X.509 certificate. Any self-signed certificate in this list is considered “trust anchor”, meaning if a user certificate chain links back to one of these certificates, then the remote user is considered authenticated and is thus allowed to connect to the device.
PKI cryptographically binds public keys to usernames in what are called “Digital Certificates”. The binding is performed by Certificate Authorities (CAs). A single CA may bind multiple user certificates. PKI asserts that if you trust a CA and you have that CA‘s certificate, then you can implicitly (rather than explicitly) trust all certificates issued by that CA.
In order for SSH to use PKI for public key authentication, the trusted-ca-list must be configured. Additionally, the device must have access to all certificates in a certificate chain. The user certificate in the chain is supplied by the SSH client during the handshake. Therefore all other certificates in the chain must be present in trusted-ca-list.
PKI verifies that every certificate in the chain was signed by its issuing CA, is currently valid (not expired), and has not been revoked (using the OCSP protocol, if enabled).
This example shows how to set the trusted certificate authorization list to myTrustedCAs:
System(rw)->set ssh server pki trusted-ca-list myTrustedCAs
Print
this page
Email this topic
Feedback
View PDF
Download EPUB