Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] SSH & X509 certificates
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message

Joined: 19 Aug 2003
Posts: 62

PostPosted: Tue Mar 07, 2006 6:47 pm    Post subject: [HOWTO] SSH & X509 certificates Reply with quote

Hi all,

I have not seen any "simple" documentation explaining how to enable X509 certificates for SSH keys.
The author of the X509 patch for OpenSSH provides usefull information on this webpage:
But you need to have a good knowledge of OpenSSL to have it work!

So here is my documentation for dummy gentoo users... :wink:

1/ Introduction

There are no standard way of managing SSH keys. You can always exchange a user or host key with
one of your friends and check the fingerprint together, but what if you want to be sure of the
authenticity of hundreds of keys?

X509 certificates could be a solution: keys are signed by a Certification Authority (CA).
Then what you check is only this signature instead of SSH public keys.

In this guide we will assume that user toto from client foo wants to authenticate against SSH server bar.
Our OpenSSL PKI will be installed on foo.

2/ Emerge OpenSSH

[root@foo]$ USE="X509 -ldap" emerge openssh
[root@bar]$ USE="X509 -ldap" emerge openssh

Note I tested with openssh ebuild 4.3_p2-r1.

3/ Create a PKI

[root@foo]$ emerge openssl (if not already installed)
[root@foo]$ mkdir /opt/LocalCA
[root@foo]$ cd  /opt/LocalCA
[root@foo]$ mkdir certs
[root@foo]$ mkdir conf
[root@foo]$ mkdir private
[root@foo]$ chmod 700 private
[root@foo]$ echo '01' > serial
[root@foo]$ touch index.txt

Edit /opt/LocalCA/conf/fooCA.cnf:
A template can be found at
You may just change the [ root_ca_distinguished_name ] section to match your data.

This file will be used to generate our CA certificate in .pem format:
[root@foo]$ cd /opt/LocalCA
[root@foo]$ export OPENSSL_CONF=/opt/LocalCA/conf/fooCA.cnf
[root@foo]$ openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1825

3/ Client configuration

On foo client, we need to sign our ssh keys. We will save the configuration request in /opt/LocalCA/conf/too@foo.cnf:

[ ca ]
default_ca      = local_ca

[ local_ca ]
dir             = /opt/LocalCA
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/certs
private_key     = $dir/private/cakey.pem
serial          = $dir/serial

default_crl_days        = 365
default_days            = 1825
default_md              = md5

policy          = local_ca_policy

[ local_ca_policy ]
commonName              = supplied
#stateOrProvinceName    = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
#organizationalUnitName = supplied

[ req ]
default_md      = md5

prompt                  = no
distinguished_name      = toto_distinguished_name
x509_extensions         = usr_cert

[ toto_distinguished_name ]
commonName              = toto tutu
countryName             = FR
emailAddress            =
organizationName        = mycompany

[ usr_cert ]
basicConstraints                = CA:FALSE
nsCertType                      = client,email
nsComment                       = "OpenSSL Generated OpenSSH Client Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always

[ srv_cert ]
basicConstraints                = CA:FALSE
nsCertType                      = server,client
nsComment                       = "OpenSSL Generated OpenSSH Server Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always

Replace the [ toto_distinguished_name ] section by your data.
Now we request and sign a certificate, then update our SSH keys.

[toto@foo]$ cd ~/.ssh
[toto@foo]$ ssh-keygen -t rsa -b 1024 -f id_rsa -N ""
[toto@foo]$ export OPENSSL_CONF=/opt/LocalCA/conf/toto@foo.cnf
[toto@foo]$ openssl req -new -key id_rsa -out id_rsa.csr
[root@foo]$ openssl ca -in id_rsa.csr -out id_rsa.crt
[toto@foo]$ openssl x509 -in id_rsa.crt -subject -issuer -alias >> id_rsa
[toto@foo]$ ssh-keygen -y -f id_rsa >

Your key should now look like:

4/ Server configuration

On server side, edit ~toto/.ssh/authorized_keys:

x509v3-sign-rsa subject= /CN=toto tutu/C=FR/

where subject= ... is the output of the following command:
openssl x509 -noout -subject -in id_rsa.crt

The sshd daemon also need to have the CA certificate to validate toto certificate:
copy cacert.pem from foo machine to the /etc/ssh/ca/crt/ directory on bar, then
[root@bar]$ cd /etc/ssh/ca/crt
[root@bar]$ ln -s cacert.pem HASH.0

where HASH is the output of the following command:
[root@bar]$ openssl x509 -in cacert.pem -noout -hash

5/ Test

Here we are!
Test ssh authentication with certificate:
[toto@foo]$ ssh bar

You should not be asked for any password and the ssh logs should indicate:
Mar  7 15:21:42 bar sshd[24496]: Accepted publickey for toto from port 41271 ssh2

If it is not working, you may grab some usefull information there, like
'unable to get local issuer certificate' or whatever.

6/ Host certificates

You may use certificates with host keys. Just repeat step 3/ with your SSH host key (/etc/ssh/ssh_host_rsa_key).
On client side, you also need to copy the CA certificate(cacert.pem).

After accepting the new key, your known_hosts file should look like:
bar, x509v3-sign-rsa Subject: ...
Back to top
View user's profile Send private message

Joined: 16 May 2002
Posts: 963
Location: Oslo, Norway

PostPosted: Tue Jan 23, 2007 9:14 am    Post subject: Reply with quote

Hey Eunuque

That's a great HowTo you wrote. I've just started working with OpenSSH and X509 keys and yours is by far the best.

However I came across a little hiccup. I don't know if it's the version of Openssl I'm using (0.9.8d) but your line:


openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1825

wouldn't work until you added the bit size to the RSA option so it now looks like this:


openssl req -x509 -newkey [b]rsa:1024[/b] -out cacert.pem -outform PEM -days 1825

Other than that, great job. Thanks for the help :D
Back to top
View user's profile Send private message

Joined: 01 Nov 2010
Posts: 9
Location: California

PostPosted: Sun May 27, 2012 4:48 pm    Post subject: Updated LocalCA link Reply with quote

Eunuque, thank you for this guide :)

I noticed the template link is dead.

Here is the last available copy:

Kind regards, Gabriel
~ BE*Kind . kn0wledge 1s p0wer ~
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum