[ssh_x509] vx509-7.4.1 - Unexpected behaviour of X509KeyAlgorithm / Purpose of CACertificatePAth

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat May 11 19:33:13 EEST 2013

I am a bit confused about certain behaviour of the tool. Would be
grateful if someone could give me some hints on the following questions:

1) All of my certificates (including the CA itself) are signed using rsa
with md5. If I use 'X509KeyAlgorithm x509v3-sign-rsa, rsa-md5' login
fails with the following error message:

ssh_x509_verify: md=rsa-md5, loc=0
ssh_x509_verify: failed for all digests

If I instead use x509v3-sign-rsa, rsa-sha1 it works properly. Whats the
point with that? Am I missing something?

2) What is the purpose of CACertificatePath? I already have a list of
CA's which I trust specified with CACertificateFile. Regardless of its
content it does nothing in my case. I tried to use it standalone without
CACertificateFile and got validation errors.

3) I've seen that its possible to store the CA's and revocation lists in
a directory service. Is that also possible for User Certfificates?

Kind regards

More information about the ssh_x509 mailing list