Configure X.509 V3 Authentication
Note
DEMO FEATURE - Two-Factor Authentication–X.509v3 Certificates for SSH is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see VOSS Feature Support Matrix.
Procedure
Example
Display the certificate authority details:
Switch:1(config)#show certificate ca CA table entry Name : 823-pki[auto-installed] CommonName : CaA2-1 KeyName : pki SubjectName : 823 CaUrl : UsePost : 0 SubjectCertValidityDays : 0 Action : (null) LastActionStatus : (null) LastActionFailureReason : CA-Auth Sha256Fingerprint : UsedFor : SSH-X509 CA table entry Name : a1 CommonName : CaA1 KeyName : rsa_2048 SubjectName : CaUrl : http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe UsePost : 1 SubjectCertValidityDays : 365 Action : (null) LastActionStatus : (null) LastActionFailureReason : CA-Auth Sha256Fingerprint : bd9bb74b3f4d75e86113222a8d291b6349c7a42c457e487b9be0a48b4f09cc7c UsedFor : CA table entry Name : a2 CommonName : CaA2 KeyName : pki2 SubjectName : 822 CaUrl : http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe UsePost : 1 SubjectCertValidityDays : 365 Action : (null) LastActionStatus : (null) LastActionFailureReason : CA-Auth Sha256Fingerprint : 0ccb8d0c38d36cf427187f0e1dd380536c078fd6fae39ec9872187327912056b UsedFor : Default
Variable Definitions
The following table defines parameters for the ssh x509v3-auth command.
Variable | Value |
---|---|
<none|oscp> |
Specifies the X.509 V3 authentication revocation check method. The default is OCSP.
x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |
overwrite|strip-domain|use-domain WORD<1-254> |
Specifies the X.509 V3 username configuration. The default is disabled.
x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |
ca-name WORD<1-45> Note: Exception: Not supported on VSP 8600
Series
|
Specifies the X.509 V3 CA trustpoint name. |
cert-subject-nameWORD<1-45> Note: Exception: Not supported on VSP 8600
Series
|
Specifies the digital certificate subject name to be used as the identity certificate. |