5.6 Obtain Authentication Certificates

Before you can configure authentication using certificates, you need a private key and an associated certificate signed by a trusted CA. For server authentication, these need to be installed and configured on the server. For user authentication, these need to be installed and configured on the client.

There are several ways to obtain the key and associated certificate. The approach you take depends on whether you want to obtain a certificate for an existing key, generate a new key and obtain a certificate for it, or obtain both the private key and the certificate from the CA.

To obtain a certificate for an existing private key

  1. Use ssh-certtool to create a certificate request for your private key. For example:

    ssh-certtool -p privatekey pkcs10 "CN=acme,OU=demo,C=US"

    This creates a request file in PKCS#10 format. The default filename is output.pkcs10.

  2. Submit the certificate request to the CA.

    The CA returns a digitally signed certificate.

  3. If the returned certificate is packaged as a PKCS#12 (*.pfx or *.p12) or PKCS#7 file, you can use ssh-keygen to extract the certificate from the returned package.

    Use -k to extract the contents of a PKCS#12 file:

    ssh-keygen -k package.pfx

    Use -7 to extract the contents of a PKCS#7 file:

    ssh-keygen -7 pkcs7file

To generate a new private key and obtain a certificate

  1. Use ssh-certtool to create a private key and a certificate request for this private key. For example to generate an RSA key:

    ssh-certtool -n rsa pkcs10 "CN=acme,OU=demo,C=US"

    This creates a request file in PKCS#10 format. The default filename is output.pkcs10.

  2. Submit the certificate request to the CA.

    The CA returns a digitally signed certificate.

  3. If the returned certificate is packaged as a PKCS#12 (*.pfx or *.p12) or PKCS#7 file, you can use ssh-keygen to extract the certificate from the returned package.

    Use -k to extract the contents of a PKCS#12 file:

    ssh-keygen -k package.pfx

    Use -7 to extract the contents of a PKCS#7 file:

    ssh-keygen -7 pkcs7file

To obtain both the private key and certificate from a CA

  1. Submit your request to the CA.

    The CA returns a PKCS#12 (*.pfx or *.p12) that contains both the private key and a digitally signed certificate.

  2. Use ssh-keygen with the -k option to extract the key and the certificate from the returned package. For example:

    ssh-keygen -k package.pfx