[ssh_x509] Clarification on pkixssh-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Apr 17 18:06:25 EEST 2018

Hello Mohit.

I'm sorry for late reply.

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
> Can you please clarify on *A_CERTIFICATE_FILE*? Which certificate file is
> mentioned in the README section 1.2?
The samples are with command openssl x509 ...
Manual page for instance 
describes openssl x509 as "openssl-x509, x509 - Certificate display and 
signing utility".

> Is it the user certificate?
Command is generic one and is not restricted to certificates used in ssh.

The only part that may affect PKIX-SSH is command argument "-nameopt" if 
distinguished name has non-ASCII characters .

> If yes, will server administrator know about
> the user certificate beforehand so that he can configure user file
> authorized_keys on the SSH Server?
> Or is it a different Certificate? Kindly provide your valuable comments.
Unlike public key if server administrator know how is issued certificate 
I guess that it will know how distinguished name is constructed.

In general the situation is one and same with public key. User has to 
connect at least once and to update manually authorized keys or to 
inform administrator how to obtain public part of his identity - either 
public key or X.509 certificate.


Roumen Petrov

More information about the ssh_x509 mailing list