|
|
|
Using SSH-Certtool to Generate Certificate Requests and Configuring Certificate Authentication for Reflection for Secure IT Windows Client
Technical Note 1874
Last Reviewed 01-Feb-2008
Applies To
Reflection for Secure IT Windows Client version 6.0 or higher
Reflection for Secure IT Windows Server version 6.0.x through 6.1.x
Summary
Technical Note 1874
Last Reviewed 01-Feb-2008
Applies To
Reflection for Secure IT Windows Client version 6.0 or higher
Reflection for Secure IT Windows Server version 6.0.x through 6.1.x
Summary
This technical note describes the steps to follow when connecting from a Reflection for Secure IT Windows Client to a Reflection for Secure IT Windows Server using certificate authentication. You will use the certificate generation utility on the Reflection SSH Windows server to create a certificate request and convert the resulting signed certificate and private key into the proper format.
Note: This note is intended for server administrators who are generating certificates for users. The certificate generation utility, ssh-certtool, is available only in Reflection for Secure IT Windows Server version 6.0 build 24 through 6.1.x. The certtool is not available in the client product.
Certificate Authentication Overview
Certificate authentication is one way a server can authenticate a user. It requires three items:
- a client PKCS12.pfx certificate package, which is imported into the client’s Microsoft Certificate Store
- the Trusted Root Certificate Authority (CA) certificate
- the user certificate mapping file
The Trusted Root CA certificate and the user certificate mapping file are uploaded to the Reflection for Secure IT Windows Server.
Overview of Configuration Steps
Configuring Reflection for Secure IT Windows Client for certificate authentication is a multi-step process:
- Generate a certificate request using the ssh-certtool utility on the Reflection SSH Windows server and send it to a Certificate Authority (CA). The CA sends you your signed certificate and their Trusted Root CA Certificate.
- Create a PKCS12 package with your private key and the signed certificate sent to you by the CA.
- Configuring the client to store and use certificates.
- Configure Certificate User Authorization on the Reflection SSH Windows Server.
- Add the Trusted Root CA Certificate and the Certificate User Authorization to the Reflection server.
The rest of this technical note outlines the procedures to configure certificate authentication on the client. Note: Some preliminary configuration must be done on the Reflection SSH server.
Using the SSH-Certtool Certificate Utility
Use the ssh-certtool utility (on the Reflection SSH Windows server) to generate a certificate request, and later a PKCS12 package for the client. The steps vary depending on certificate type, extensions, and other factors, including how you choose to sign your certificates.
Note: The version of the ssh-certtool utility required to generate a certificate is available in Reflection for Secure IT Window Server version 6.0 build 24 through 6.1.x.
- On the Reflection for Secure IT Windows Server, open the ssh-certtool, typically found in the C:\Program Files\F-Secure\ssh server folder on the Reflection for Secure IT server.
- Enter this command to generate a certificate request that you can send to your Certificate Authority for signing:
ssh-certtool –n <rsa or dsa> req CN=<"User Name">,O=<Company>,OU=<OrganizationalUnit>,L=<City>,ST=<State>,C=<Country>For example:
ssh-certool –n rsa req CN="User Name",O=Attachmate,OU=Support, L=Seattle,ST=Washington,C=USThe e-mail address can also be added to the Subject Alternative Name by including the option:
-z email=user@example.comFor example:
ssh-certtool -n rsa -z email=User Name@myCo.com req CN="User Name",O=Attachmate,OU=support,L=Seattle,ST=Washington,C=US- The ssh-certtool utility generates two files:
output.ssh2 (the private key)
output.pkcs10 (the certificate request)
output.pkcs10 (the certificate request)
Rename the files to the name of the client for which you are creating them, for example, user1_ssh2 and user1.pkcs10. By renaming the files, you will not overwrite them if you create more certificates.
- Send the resulting pkcs10 file (in our example, user1.pkcs10) to your Certificate Authority for signing.
If you are using Microsoft Certificate Services server as your Certificate Authority, you can open the file in a text editor and then paste it into the request form.
- You will receive your CA-signed client certificate in a "Base-64 encoded" or ".pem" format depending on the CA. Either format is acceptable. Note: Do not use DER encoded binary format.
In addition to your signed public key certificate, the Certificate Authority should have sent their Trusted Root Certificate public key; save this for later.
- Rename your CA-signed client certificate using a .crt extension, for example, user1.ssh2.crt.
Create a PKCS12 Package
After you receive your CA-signed client certificate from the Certificate Authority, you will need to create a PKCS12 package to import into the Microsoft Certificate Store or Reflection’s Certificate Store in version 6.1.
- On the Reflection SSH Windows server, generate the PKCS12 package using the following command:
ssh-certtool pkcs12 <output.ssh2> <My Received Cert>For example:
ssh-certtool pkcs12 user1_ssh2 user1.ssh2.crt- When prompted, enter a passphrase that you will remember. Using an empty passphrase is not recommended because it is less secure.
The command creates a file called output.p12.
- Rename the file to match the files above, such as user1.p12.
Configuring the Client to Store and Use Certificates
You can configure the client to store and use certificates from the Microsoft Certificate Store, or beginning in version 6.1, you can configure the client to store and use certificates from Reflection's certificate store.
Using the Microsoft Certificate Store
Follow these steps to configure the client to store and use certificates from the Microsoft Certificate Store.
- Double-click the file you created (in our example, user1.p12) to install it to the Microsoft Certificate Store. Use the passphrase that you entered in step 2 of the Create a PKCS12 Package section.
Note: Select the "Mark the certificate as exportable" check box on the password dialog box in the Certificate Import Wizard.
View Full Size
You will now see the certificate display under the Personal Store in the Microsoft Certificate Store.
- In the Reflection for Secure IT client, open the Connection > Connection Setup dialog box.
- Enter a host name and user name to enable the Security button. Click the button to open the Reflection Secure Shell Settings dialog box.
- On the General tab, under User Authentication, clear Keyboard Interactive, Password, and GSSAPI/Kerberos, leaving Public Key as the only selected option.
- Click the User Keys tab and select the client certificate that you created in the "Create a PKCS12 Package" section with your private key and signed public key (in our example, user1.p12).
- Click OK and save your settings.
Using Reflection's Certificate Store
Beginning in Reflection version 6.1, you can configure the Reflection SSH Windows client to store certificates in Reflection's certificate store.
- In the Reflection for Secure IT client, open the Connection > Connection Setup dialog box.
- Enter a host name and user name to enable the Security button. Click the button to open the Reflection Secure Shell Settings dialog box.
- On the General tab, under User Authentication, clear Keyboard Interactive, Password, and GSSAPI/Kerberos, leaving Public Key as the only selected option.
- On the PKI tab, click the Reflection Certificate Manager button.
- In the Reflection Certificate Manager button, on the Personal tab, click the Import button.
- Select the client certificate that you created in the "Create a PKCS12 Package" section with your private key and signed public key (in our example, user1.p12). Follow the prompts to import your certificate.
- Click Close, and then click OK.
- Click the Security button to open the Reflection Secure Shell Settings dialog box.
- On the User Keys tab, select the certificate imported in step 6. Note that the location of the key is the Reflection Certificate Store.
- Click OK.
Configuring Certificate User Authorization on the Reflection for Secure IT Windows Server
The steps you follow to configure certificate user authorization depends on the version of Reflection for Secure IT Windows Server that you use:
Version 6.1.x
When user certificates are used to authenticate to remote server(s), the remote server administrator must configure Certificate User Authorization on the server and add the Trusted Root CA certificate. (See To Obtain the Trusted Root CA Certificate for more information.)
- Open the Reflection for Secure IT Windows Server. In Server Configuration, click User Authentication to expand the tree, and then click Public Key > Certificates.
To edit an existing Trusted Root CA, click Edit and proceed to Step 2.
To add a new Trusted Root CA, click Add and follow these steps:
- Open the Reflection for Secure IT Windows Server. In Server Configuration, click User Authentication to expand the tree, and then click Public Key > Certificates. Click Add to add a new Trusted Root CA or Edit an existing one.
- In the Trusted CA Certificate field, browse (using the
button) or Import to the Trusted Root certificate you received from your Certificate Authority. In versions 6.1.2 and 6.1.3, you can also use the Select System CA Certificate button to select the Root Certificate from Windows certificate store. The certificate will have a .cer or .crt file extension.
- Select the file and click OK.
- In the Certificate User Authorization field, browse to the .txt file that contains your user mapping file or select the Edit button and create or modify the file. This file is used to verify the user and the certificate being presented for this user. It must match the client certificate data in one of the fields, such as the Subject, Email, SerialAndIssuer or EmailRegex fields, in the proper format as shown in the example below:
<account-id> SerialAndIssuer <MyCertSerialNumberInDecimal> C=<MyCountry>, O=<MyCompany>, CN=<"User Name">—or—
<account-id> Subject C=<MyCountry>, ST=<MyState>, L=<MyCity>, O=<MyCompany>, OU=<MyOrganizationalUnit>, CN=<"User Name">For example, it might look like the following:
account-id SerialAndIssuer 12345678 C=US, O=Attachmate, CN="User Name"—or—
account-id Subject C=US, ST=Washington, L=Seattle, O=Attachmate, OU=Support, CN="User Name"—or—
account-id email UserName@MyDomain.com—or—
%subst% emailregex ([a-z,A-Z,0-9]+)@MyDomain\.comFor example, it might look like the following:
%subst% emailregex ([a-z,A-Z]+)@Attachmate\.com- Click Apply.
Next, proceed to Connect Using Certificate Authentication.
To Obtain the Trusted Root CA Certificate
When you submitted the certificate request to your Certificate Authority for signing, they sent your signed certificate and the Trusted Root CA Certificate. If you did not receive the Trusted Root CA Certificate when the CA sent you your signed certificate, you can obtain it in one of two ways:
- Download it from your signing Certificate Authority’s website.
- Open the received signed certificate by double-clicking it and then selecting the Certificate Path tab. Click the uppermost certificate and then select View Certificate > Details > Copy to File.
Return to Version 6.1.x instructions.
Version 6.0.x
When user certificates are used to authenticate to remote server(s), the remote server administrator must configure Certificate User Authorization on the server and add the Trusted Root CA certificate (if it has not previously been added). Follow these steps to configure Certificate User Authorization.
- Open the Reflection for Secure IT Windows Server. In Server Configuration, click User Authentication to expand the tree, and then click Public Key > Certificates.
- In the Certificate User Authorization field, browse to the .txt file that contains your user mapping file or select the Edit button and create or modify the file. This file is used to verify the user and the certificate being presented for this user. It must match the client certificate data in one of the fields, such as the Subject, Email, SerialAndIssuer or EmailRegex fields, in the proper format as shown in the example below:
<account-id> SerialAndIssuer <MyCertSerialNumberInDecimal> C=<MyCountry>, O=<MyCompany>, CN=<"User Name">—or—
<account-id> Subject C=<MyCountry>, ST=<MyState>, L=<MyCity>, O=<MyCompany>, OU=<MyOrganizationalUnit>, CN=<"User Name">For example, it might look like the following:
account-id SerialAndIssuer 12345678 C=US, O=Attachmate, CN="User Name"—or—
account-id Subject C=US, ST=Washington, L=Seattle, O=Attachmate, OU=Support, CN="User Name"—or—
account-id email UserName@MyDomain.com—or—
%subst% emailregex ([a-z,A-Z,0-9]+)@MyDomain\.comFor example, it might look like the following:
%subst% emailregex ([a-z,A-Z]+)@Attachmate\.com- Click Apply.
Add the Trusted Root CA Certificate to the Reflection for Secure IT Windows Server 6.0.x
Note: If you have previously imported the Trusted Root CA certificate, you do not need to import it again; you may proceed to Connect Using Certificate Authentication.
When you submitted the certificate request to your Certificate Authority for signing, they sent your signed certificate and the Trusted Root CA Certificate. For background information on this topic, read About Trusted Root CA Certificates.
Obtaining the Trusted Root CA Certificate
If you did not receive the Trusted Root CA Certificate when the CA sent you your signed certificate, you can obtain it in one of two ways:
- Download it from your signing Certificate Authority’s website.
- Open the received signed certificate by double-clicking it and then selecting the Certificate Path tab. Click the uppermost certificate and then select View Certificate > Details > Copy to File.
Adding the Trusted Root CA Certificate
Follow these steps to add the Trusted Root CA certificate to the Reflection server.
- Open the Reflection for Secure IT Windows Server. In Server Configuration, click User Authentication to expand the tree, and then click Public Key > Certificates.
- In the Trusted CA Certificate field, browse (using the
button) to the Trusted Root certificate you received from your Certificate Authority. The certificate will have a .cer or .crt file extension. Select the file and click OK.
- Click Apply.
Connect Using Certificate Authentication
Now your Reflection for Secure IT Windows Client is configured to support client certificate authentication. Click Connect on the Reflection for Secure IT client, and you will see a padlock on the Status Line indicating your connection is secure.
For information about configuring Reflection for Secure IT Windows Server for certificate authentication, see Technical Note 1873.
About Trusted Root CA Certificates
A certificate issued by a Certification Authority (CA) to itself is called a Trusted Root certificate; it is the anchor point for a chain of trust. When one entity uses a certificate to authenticate itself, the other entity must verify the trust relationship between the first entity's certificate and the Trusted Root CA that is at the beginning of the chain of trust.
For example, if a user is presenting a certificate to authenticate themselves to the server, the server needs to verify two conditions:
- User has the private key for the public key contained in the certificate and can correctly sign an authentication message.
- The signatures of any intermediate CA certificates are valid all the way to the Trusted Root CA.
This second validation requires that the Trusted Root certificate for the user's certificate resides in the Trusted Root store on the server and that any intermediate CA certificates can be obtained.
