|
|
|
Using SSH-Certtool to Generate Certificate Requests and Configuring Certificate Authentication for Reflection for Secure IT Windows Server
Technical Note 1873
Last Reviewed 31-May-2006
Applies To
Reflection for Secure IT Windows Server version 6.x
Summary
Technical Note 1873
Last Reviewed 31-May-2006
Applies To
Reflection for Secure IT Windows Server version 6.x
Summary
This technical note describes how to generate a certificate request using the ssh-certtool utility, obtain a signed certificate from a Certificate Authority (CA), import it to the server, and properly configure the Reflection for Secure IT Windows Server to use certificate authentication.
Note: The certificate generation utility, ssh-certtool, is included in Reflection for Secure IT Windows Server version 6.0, build 24 or higher. Versions earlier than build 24 do not support the functionality described in this technical note.
Certificate Authentication Overview
Certificate authentication is one way a user can authenticate a server. It requires a private and public key pair; the private key is located on the server, and the public key is presented to the client at the initial connection.
When using certificate authentication, the server looks for its certificate (a PKCS12 package that has been separated into its respective public and private ssh keys) in the local Reflection for Secure IT server store (a secured folder on your server).
Overview of Configuration Steps
Configuring Reflection for Secure IT Windows Server for certificate authentication is a multi-step process:
- Generate a certificate request using the ssh-certtool utility and send it to a Certificate Authority (CA). The CA sends you your signed certificate and their Trusted Root CA Certificate.
- Configure the Server to Use Certificate Authentication.
- Add the Trusted Root CA Certificate to the Reflection for Secure IT Windows Client.
Generate a Certificate Request Using the SSH-Certtool Utility
Use the ssh-certtool utility to generate a certificate for the server. The steps vary depending on certificate type, extensions, and other factors, including how you choose to sign your certificates.
Note: The version of the ssh-certtool utility required to generate a certificate is available in Reflection for Secure IT Window Server version 6.0, build 24 or higher.
- Open the ssh-certtool, typically found in the C:\Program Files\F-Secure\ssh server folder on the Reflection for Secure IT server.
- Enter this command to generate a certificate request that you can send to your Certificate Authority for signing:
ssh-certtool –n <rsa or dsa> req CN=<Server's Fully Qualified Domain Name>,O=<Company>,OU=<OrganizationalUnit>,L=<City>,ST=<State>,C=<Country>For example:
ssh-certtool -n rsa req CN=myHost.myCo.com,O=Attachmate,OU=support,L=Seattle,ST=Washington,C=USIf you need to add the Subject Alternative Name, use the following format:
ssh-certtool -n <rsa or dsa> -z DNS=<Server's Fully Qualified Domain Name> req CN=<Server's Fully Qualified Domain Name>,O=<Company>,OU=<OrganizationalUnit>,L=<City>,ST=<State>,C=<Country>For example:
ssh-certtool -n rsa -z DNS=myHost.myCo.com req CN=myHost.myCo.com,O=Attachmate,OU=support,L=Seattle,ST=Washington,C=US- The ssh-certtool utility generates two files:
output.ssh2 (the private key)
output.pkcs10 (the certificate request
output.pkcs10 (the certificate request
- Rename the files to the name of the server for which you are creating them, for example, MyServer.ssh2 and MyServer.pkcs10. By renaming the files, you will not overwrite them if you create more certificates.
- Send the output.pkcs10 file (in our example, MyServer.pkcs10) to your Certificate Authority for signing.
If you are using Microsoft Certificate Services server as your Certificate Authority, you can open the file in a text editor and then paste it into the request form.
Configure the Server to Use Certificate Authentication
After you submit the certificate request to your Certificate Authority for signing, they will send you your signed public key certificate. Depending on the CA used, the certificate may be in a "Base-64 encoded" or ".pem" format. Either format is acceptable. Note: Do not use DER encoded binary.
Follow these steps to configure the server:
- Upload your signed public key certificate in binary format to the C:\Program Files\F-Secure\ssh server folder.
- In the Reflection for Secure IT Server Configuration, select Identity under Server Settings to enter the Host Certificate information. (Note that in the steps below, the CA-signed server certificate is renamed to MyServer.ssh2.crt.)
- In the Host Certificate entry, browse (using the
button, not the Import… button) to the private key generated by the ssh-certtool. In our example, the file is called MyServer.ssh2.
- Browse for the server certificate. In our example, it is called MyServer.ssh2.crt. After successfully adding the private key and certificate under the Host Certificates dialog, click the View button to verify that the certificate is installed and can be verified to a trusted certificate authority.
- Click Apply.
- Select Server Settings > Stop Server.
- Select the Start Service button and note if it starts. If there is a problem importing your server certificate, the server will not start properly.
- After the server has successfully started, your clients may connect to it.
Add the Trusted Root CA Certificate to the Reflection for Secure IT Windows Client
When server certificates are used to authenticate with client connections, the Trusted Root certificate for the server’s certificate has to reside in the connecting client’s Trusted Root store. This section contains configurations specific to the Reflection for Secure IT Windows client.
When you submitted the certificate request to your Certificate Authority for signing, they sent you your signed certificate and the Trusted Root CA certificate. For background information on this topic, read About Trusted Root CA Certificates.
Note: You need to add the Trusted Root CA certificate only if it is not already available on the client.
Obtain the Trusted Root CA Certificate
If you did not receive the Trusted Root CA certificate, you can obtain it in one of two ways:
- Download it from your signing Certificate Authority’s website.
- Open the received signed certificate by double-clicking it and then selecting the Certificate Path tab. Click the uppermost certificate and then select View Certificate > Details > Copy to File.
Add the Trusted Root CA Certificate
Once you've obtained the Trusted Root CA certificate, add it to the Reflection for Secure IT Windows Client. You can add the Trusted Root CA certificate to the Microsoft certificate store, or beginning in Reflection version 6.1, you can Configure the Client to Store and Use the Trusted Root CA Certificate from Reflection's Certificate Store.
Add the Trusted Root CA Certificate to the Microsoft Certificate Store
- On the client PC, double-click the Trusted Root CA Certificate.
- Click Install Certificate.
- Follow the prompts to complete the installation. Once installed, you can view the certificate in Internet Explorer in Tools > Internet Options > Content tab > Certificates button> Trusted Root Certification Authorities tab.
Configure the Client to Use the Trusted Root CA Certificate from the Microsoft Certificate Store
If you have Reflection version 6.1 or higher, follow these steps.
- In the Reflection for Secure IT client, open the Connection > Connection Setup dialog box.
- Enter a host name and user name to enable the Security button, then click the button to open the Reflection Secure Shell Settings dialog box.
- On the PKI tab, click the Reflection Certificate Manager button.
- In the Reflection Certificate Manager, on the Trusted Certification Authorities tab, click the Import button.
- Select the Trusted Root certificate for the server’s certificate and click Open.
- On the Trusted Certification Authorities tab, select the "Use System Certificate Store for SSH Connections" check box.
- Click Close, and then click OK.
Configure the Client to Store and Use the Trusted Root CA Certificate from Reflection's Certificate Store
Beginning in version 6.1, you can configure the Reflection SSH Windows client to store Trusted Root CA certificates in Reflection’s certificate store.
- In the Reflection for Secure IT client, open the Connection > Connection Setup dialog box.
- Enter a host name and user name to enable the Security button, then click the button to open the Reflection Secure Shell Settings dialog box.
- On the PKI tab, click the Reflection Certificate Manager button.
- In the Reflection Certificate Manager, on the Trusted Certification Authorities tab, click the Import button.
- Select the Trusted Root certificate for the server’s certificate and click Open.
- On the Trusted Certification Authorities tab, clear the "Use System Certificate Store for SSH Connections" check box.
- Click Close, and then click OK. To configure Certificate Authentication for your client sessions, see Technical Note 1874.
Note: Certificate authentication has the same restrictions as user key authentication. Currently, certificate authentication with domain accounts works on Windows 2003 servers; it does not work on Windows 2000 servers. In addition, the special account "Everyone" must be a member of the Built-in Pre-Windows 2000 Compatible Access Security Group.
About Trusted Root CA Certificates
A certificate issued by a Certificate Authority to itself is called a Trusted Root certificate and is the anchor point for a chain of trust. When one entity uses a certificate to authenticate itself, the other entity must verify the trust relationship between the first entity's certificate and the Trusted Root CA that is at the beginning of the chain of trust.
For example, if a server is presenting a certificate to authenticate itself to the client, the client needs to verify two conditions:
- The server has the private key for the public key contained in the certificate and can correctly sign an authentication message.
- The signatures of any intermediate CA certificates are valid all the way to the Trusted Root CA.
This second validation requires that the Trusted Root certificate for the server's certificate resides in the Trusted Root store on the client and that any intermediate CA certificates can be obtained.
