Configure X.509 V3 Authentication

Note

Note

DEMO FEATURE - Two-Factor Authentication–X.509v3 Certificates for SSH is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see VOSS Feature Support Matrix.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Enable X.509 V3 authentication:

    ssh x509v3-auth enable

  3. Configure X.509 V3 revocation:

    ssh x509v3-auth revocation-check-method {none | ocsp}

  4. Configure X.509 V3 username:

    ssh x509v3-auth username {overwrite | strip-domain | use-domain WORD<1-254>}

  5. Configure X.509 V3 CA trustpoint name:

    ssh x509v3-auth ca-name WORD<1-45>

  6. Configure the X.509 V3 digital certificate subject name to be used as the identity certificate:

    ssh x509v3-auth cert-subject-name WORD<1-45>

Example

Display the certificate authority details:

Switch:1(config)#show certificate ca 


CA table entry
Name                      :   823-pki[auto-installed]
CommonName                :   CaA2-1
KeyName                   :   pki
SubjectName               :   823
CaUrl                     :   
UsePost                   :   0
SubjectCertValidityDays   :   0
Action                    :   (null)
LastActionStatus          :   (null)
LastActionFailureReason   :   
CA-Auth Sha256Fingerprint :   
UsedFor                   :   SSH-X509 


CA table entry
Name                      :   a1
CommonName                :   CaA1
KeyName                   :   rsa_2048
SubjectName               :   
CaUrl                     :   http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe
UsePost                   :   1
SubjectCertValidityDays   :   365
Action                    :   (null)
LastActionStatus          :   (null)
LastActionFailureReason   :   
CA-Auth Sha256Fingerprint :   bd9bb74b3f4d75e86113222a8d291b6349c7a42c457e487b9be0a48b4f09cc7c
UsedFor                   :   


CA table entry
Name                      :   a2
CommonName                :   CaA2
KeyName                   :   pki2
SubjectName               :   822
CaUrl                     :   http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe
UsePost                   :   1
SubjectCertValidityDays   :   365
Action                    :   (null)
LastActionStatus          :   (null)
LastActionFailureReason   :   
CA-Auth Sha256Fingerprint :   0ccb8d0c38d36cf427187f0e1dd380536c078fd6fae39ec9872187327912056b
UsedFor                   :   Default 

Variable Definitions

The following table defines parameters for the ssh x509v3-auth command.

Variable Value

<none|oscp>

Specifies the X.509 V3 authentication revocation check method. The default is OCSP.

  • none - Specifies no revocation check method.

    oscp - Specifies Online Certificate Status Protocol (OSCP) as revocation check method.

x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.

overwrite|strip-domain|use-domain WORD<1-254>

Specifies the X.509 V3 username configuration. The default is disabled.

  • overwrite - Specifies the switch to send the principal name and domain name from the certificate to the RADIUS server for authorization.

    strip-domain - Specifies the switch to send the princial name from the certificate without the domain name to the RADIUS server for authorization.

    use-domain WORD<1-254> - Specifies the switch to send the principal name from the certificate, with the domain name you entered to the RADIUS server for authorization.

x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.

ca-name WORD<1-45>

Note: Exception: Not supported on VSP 8600 Series
Specifies the X.509 V3 CA trustpoint name.

cert-subject-nameWORD<1-45>

Note: Exception: Not supported on VSP 8600 Series
Specifies the digital certificate subject name to be used as the identity certificate.