PKI uses the X.509 certificate to authenticate an SSH client with the S- or K-Series device SSH server. The X.509 certificate is issued by a CA and binds a public key to an organizational name, common name, or DNS-entry. A PKI service is configured with one or more X.509 certificates. X.509 certificates are grouped in certificate lists. When using PKI services, SSH references these certificate lists when authenticating.
The X.509 certificate contains:
Use the set pki certificate command to configure PKI with an X.509 certificate and group the configured X.509 certificates in a certificate list.
The user entering the command must have admin (su) privilege. Users with read-only, read-write, or admin privilege can display PKI settings using the show pki certificate command.
Once you enter the command specifying the name of the certificate list to be entered, you are asked to enter the PKI certificate:
Enter the PEM encoded certificate-list-name certificate
Certificate data must be entered in Privacy Enhanced Mail (PEM) format, complete with the appropriate X.509 header -----BEGIN CERTIFICATE----- and footer -----END CERTIFICATE-----. Certificate entry is terminated by entering a blank line or the word “quit” on a line by itself.
Certificate information then displays. If you did not specify the no-confirm command option, you are asked to confirm the entered certificate.
This example shows how to set the myTrustedOcspSigningCerts PKI certificate, followed by a display of the entered certificate details:
System(su)->set pki certificate myTrustedOcspSigningCerts Enter the PEM encoded myTrustedOcspSigningCerts certificate End with a blank line or the word "quit" on a line by itself -----BEGIN TRUSTED CERTIFICATE----- MIIELjCCAxagAwIBAgIBBDANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJVUzES MBAGA1UEChMJRW50ZXJhc3lzMQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEc MBoGA1UEAxMTRXN5cyBKSVRDIFJvb3QgQ0EgMjAeFw0xMjAyMjExODQ0MTRaFw0y MjAyMTgxODQ0MTRaMGsxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlFbnRlcmFzeXMx DDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMSwwKgYDVQQDEyNFc3lzIEpJVEMg Um9vdCBDQSAyIE9DU1AgRGVsZWdhdGUgMjCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAKvefxWIoURH/32iw8mS64MIc0k0+/8zN2lHf/s+T+MbqlmUqriC Ax2JfCGM1jcpgQB4gdMU0fqMsgb1aQ5Vy3adtAzj7jZ9IS3OmX2O0ZBRi4rXr1dg NukkfOdSBg68/pzzjdaZEsbeeXNdZnbtlemex+9KvBJ9TLw8pt4ZxQF12AIulRAI Ov4WVcpnHHQL7WAcEcF56xqcYLkDYKDHhqkwanM8kEnHptWvTVqv9hEr054wu88a lqzPYLnhNdY8mqsOAFuBM/kJcblSZjb+VI4bfwOAAn/SikbBqn9+9jG4lE1WUPDB sWIdfZt6p+7tF3kx+ayfx0aYvFGunoi6RrECAwEAAaOB7DCB6TAOBgNVHQ8BAf8E BAMCAYYwgYMGA1UdIwR8MHqAFFckAV1bJeN4QrJH3z97+YOQyrLgoV+kXTBbMQsw CQYDVQQGEwJVUzESMBAGA1UEChMJRW50ZXJhc3lzMQwwCgYDVQQLEwNEb0QxDDAK BgNVBAsTA1BLSTEcMBoGA1UEAxMTRXN5cyBKSVRDIFJvb3QgQ0EgMoIBBTAdBgNV HQ4EFgQUS9Nou/9KbX2HFzFcsWqJf3HklyIwDAYDVR0TAQH/BAIwADATBgNVHSUE DDAKBggrBgEFBQcDCTAPBgkrBgEFBQcwAQUEAgUAMA0GCSqGSIb3DQEBBQUAA4IB AQCXKen2sXv68AaA7JK1uJhVD9xRuWw7O+J3Q8zA4B/BM5vkhiZZMK+Ro70HaQSI ebAjrXsZ1VUD1pS5nkud2TawYwICyL8jxxbIX9nnIC6esr9shmCaxv/pCXMI5iZr 3zPism/n8OJpk6ZR75F/8Tnt8lUXrSFvJdwxb76nFR6zPStNorSuSgrZaGtmftUj xZs7/PKXxWoryZmfua6oIg7SACWApBSu6Jhj7lgS6wAvow4K3WCbso+afmnpcNT7 kMkWJO7J4jUaKS/yjn8xkO2HhZZ+g1Lh1lK00i+hOx515aUHj2DpxMNQtiTvNnJr 5LJ+xqz0gfSDJB385ZTM6o4b -----END TRUSTED CERTIFICATE----- quit Entered certificate has the following attributes: Fingerprint: a2:33:a9:df:df:8a:fb:9a:d2:f0:5e:c0:c3:8a:8a:4b:ad:0a:6f:1b Issuer: C=US, O=Enterasys, OU=DoD, OU=PKI, CN=Esys JITC Root CA 2 Validity Not Before: Feb 21 18:44:14 2012 GMT Not After : Feb 18 18:44:14 2022 GMT Subject: C=US, O=Enterasys, OU=DoD, OU=PKI, CN=Esys JITC Root CA 2 OCSP Delegate 2 Do you accept this certificate (y/n) [n]?y System(su)->