Configure X.509 V3 Authentication

Note

DEMO FEATURE - Two-Factor Authentication–X.509v3 Certificates for SSH is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see Fabric Engine and VOSS Feature Support Matrix.

Procedure

Enter Global Configuration mode:

enable

configure terminal
Enable X.509 V3 authentication:

ssh x509v3-auth enable
Configure X.509 V3 revocation:

ssh x509v3-auth revocation-check-method {none | ocsp}
Configure X.509 V3 username:

ssh x509v3-auth username {overwrite | strip-domain | use-domain WORD<1-254>}
Configure X.509 V3 CA trustpoint name:

ssh x509v3-auth ca-name WORD<1-45>
Configure the X.509 V3 digital certificate subject name to use as the identity certificate:

ssh x509v3-auth cert-subject-name WORD<1-45>

Example

Display the certificate authority details:

Switch:1(config)#show certificate ca 


CA table entry
Name                      :   823-pki[auto-installed]
CommonName                :   CaA2-1
KeyName                   :   pki
SubjectName               :   823
CaUrl                     :   
UsePost                   :   0
SubjectCertValidityDays   :   0
Action                    :   (null)
LastActionStatus          :   (null)
LastActionFailureReason   :   
CA-Auth Sha256Fingerprint :   
UsedFor                   :   SSH-X509 


CA table entry
Name                      :   a1
CommonName                :   CaA1
KeyName                   :   rsa_2048
SubjectName               :   
CaUrl                     :   http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe
UsePost                   :   1
SubjectCertValidityDays   :   365
Action                    :   (null)
LastActionStatus          :   (null)
LastActionFailureReason   :   
CA-Auth Sha256Fingerprint :   bd9bb74b3f4d75e86113222a8d291b6349c7a42c457e487b9be0a48b4f09cc7c
UsedFor                   :   


CA table entry
Name                      :   a2
CommonName                :   CaA2
KeyName                   :   pki2
SubjectName               :   822
CaUrl                     :   http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe
UsePost                   :   1
SubjectCertValidityDays   :   365
Action                    :   (null)
LastActionStatus          :   (null)
LastActionFailureReason   :   
CA-Auth Sha256Fingerprint :   0ccb8d0c38d36cf427187f0e1dd380536c078fd6fae39ec9872187327912056b
UsedFor                   :   Default

Variable Definitions

The following table defines parameters for the ssh x509v3-auth command.


Variable	Value
`<none\|oscp>`	Specifies the X.509 V3 authentication revocation check method. The default is OCSP. none - Specifies no revocation check method. oscp - Specifies Online Certificate Status Protocol (OSCP) as revocation check method. x509v3-auth is available for demonstration purposes on some products. For more information, see Fabric Engine and VOSS Feature Support Matrix.
`overwrite\|strip-domain\|use-domain WORD<1-254>`	Specifies the X.509 V3 username configuration. The default is disabled. overwrite - Specifies the switch to send the principal name and domain name from the certificate to the RADIUS server for authorization. strip-domain - Specifies the switch to send the princial name from the certificate without the domain name to the RADIUS server for authorization. use-domain `WORD<1-254>` - Specifies the switch to send the principal name from the certificate, with the domain name you entered to the RADIUS server for authorization. x509v3-auth is available for demonstration purposes on some products. For more information, see Fabric Engine and VOSS Feature Support Matrix.
ca-name `WORD<1-45>` Note: Exception: Not supported on VSP 8600 Series	Specifies the X.509 V3 CA trustpoint name.
cert-subject-name`WORD<1-45>` Note: Exception: Not supported on VSP 8600 Series	Specifies the digital certificate subject name to be used as the identity certificate.