The X.509 Certificate

PKI uses the X.509 certificate to authenticate an SSH client with the S- or K-Series device SSH server. The X.509 certificate is issued by a CA and binds a public key to an organizational name, common name, or DNS-entry. A PKI service is configured with one or more X.509 certificates. X.509 certificates are grouped in certificate lists. When using PKI services, SSH references these certificate lists when authenticating.

The X.509 certificate contains:

Use the set pki certificate command to configure PKI with an X.509 certificate and group the configured X.509 certificates in a certificate list.

The user entering the command must have admin (su) privilege. Users with read-only, read-write, or admin privilege can display PKI settings using the show pki certificate command.

Once you enter the command specifying the name of the certificate list to be entered, you are asked to enter the PKI certificate:

Enter the PEM encoded certificate-list-name certificate

Certificate data must be entered in Privacy Enhanced Mail (PEM) format, complete with the appropriate X.509 header -----BEGIN CERTIFICATE----- and footer -----END CERTIFICATE-----. Certificate entry is terminated by entering a blank line or the word “quit” on a line by itself.

Certificate information then displays. If you did not specify the no-confirm command option, you are asked to confirm the entered certificate.

This example shows how to set the myTrustedOcspSigningCerts PKI certificate, followed by a display of the entered certificate details:

System(su)->set pki certificate myTrustedOcspSigningCerts
Enter the PEM encoded myTrustedOcspSigningCerts certificate
End with a blank line or the word "quit" on a line by itself
-----BEGIN TRUSTED CERTIFICATE-----
MIIELjCCAxagAwIBAgIBBDANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJVUzES
MBAGA1UEChMJRW50ZXJhc3lzMQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEc
MBoGA1UEAxMTRXN5cyBKSVRDIFJvb3QgQ0EgMjAeFw0xMjAyMjExODQ0MTRaFw0y
MjAyMTgxODQ0MTRaMGsxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlFbnRlcmFzeXMx
DDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMSwwKgYDVQQDEyNFc3lzIEpJVEMg
Um9vdCBDQSAyIE9DU1AgRGVsZWdhdGUgMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKvefxWIoURH/32iw8mS64MIc0k0+/8zN2lHf/s+T+MbqlmUqriC
Ax2JfCGM1jcpgQB4gdMU0fqMsgb1aQ5Vy3adtAzj7jZ9IS3OmX2O0ZBRi4rXr1dg
NukkfOdSBg68/pzzjdaZEsbeeXNdZnbtlemex+9KvBJ9TLw8pt4ZxQF12AIulRAI
Ov4WVcpnHHQL7WAcEcF56xqcYLkDYKDHhqkwanM8kEnHptWvTVqv9hEr054wu88a
lqzPYLnhNdY8mqsOAFuBM/kJcblSZjb+VI4bfwOAAn/SikbBqn9+9jG4lE1WUPDB
sWIdfZt6p+7tF3kx+ayfx0aYvFGunoi6RrECAwEAAaOB7DCB6TAOBgNVHQ8BAf8E
BAMCAYYwgYMGA1UdIwR8MHqAFFckAV1bJeN4QrJH3z97+YOQyrLgoV+kXTBbMQsw
CQYDVQQGEwJVUzESMBAGA1UEChMJRW50ZXJhc3lzMQwwCgYDVQQLEwNEb0QxDDAK
BgNVBAsTA1BLSTEcMBoGA1UEAxMTRXN5cyBKSVRDIFJvb3QgQ0EgMoIBBTAdBgNV
HQ4EFgQUS9Nou/9KbX2HFzFcsWqJf3HklyIwDAYDVR0TAQH/BAIwADATBgNVHSUE
DDAKBggrBgEFBQcDCTAPBgkrBgEFBQcwAQUEAgUAMA0GCSqGSIb3DQEBBQUAA4IB
AQCXKen2sXv68AaA7JK1uJhVD9xRuWw7O+J3Q8zA4B/BM5vkhiZZMK+Ro70HaQSI
ebAjrXsZ1VUD1pS5nkud2TawYwICyL8jxxbIX9nnIC6esr9shmCaxv/pCXMI5iZr
3zPism/n8OJpk6ZR75F/8Tnt8lUXrSFvJdwxb76nFR6zPStNorSuSgrZaGtmftUj
xZs7/PKXxWoryZmfua6oIg7SACWApBSu6Jhj7lgS6wAvow4K3WCbso+afmnpcNT7
kMkWJO7J4jUaKS/yjn8xkO2HhZZ+g1Lh1lK00i+hOx515aUHj2DpxMNQtiTvNnJr
5LJ+xqz0gfSDJB385ZTM6o4b
-----END TRUSTED CERTIFICATE-----
quit
Entered certificate has the following attributes:
  Fingerprint: a2:33:a9:df:df:8a:fb:9a:d2:f0:5e:c0:c3:8a:8a:4b:ad:0a:6f:1b
        Issuer: C=US, O=Enterasys, OU=DoD, OU=PKI, CN=Esys JITC Root CA 2
        Validity
            Not Before: Feb 21 18:44:14 2012 GMT
            Not After : Feb 18 18:44:14 2022 GMT
        Subject: C=US, O=Enterasys, OU=DoD, OU=PKI, CN=Esys JITC Root CA 2 OCSP Delegate 2
Do you accept this certificate (y/n) [n]?y
System(su)->