[ssh_x509] Certificate Procedures and Test Program

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Apr 27 11:33:04 EEST 2019

Hi Srini.
  ssh_x509 at roumenpetrov.info wrote:
> Thanks Roumen Petrov,
>     Firstly I am using Microchip's ATECC508A this chip has the engine
> support (*ateccx08*) for the OpenSSL, so any openssl commands like genkey,
> req will all dedicated to Hardware firmware.
> Of-course this chip supports PKI Algorithms ECDSA, ECDH, and the X509
> Certificate format. While configuring these crypto module for both Root and
> Signer I have got the Root CA certificate in .Der format. and I have also
> got a software release by Microchip which can sign/create the certificate
> for, n number of request using my Root module. So my intention to go for
> the Certificate based Authentication of SSH session is to have a better
> scale and control the user login while Diagnosing the board for maintenance.

> Below is the steps in my mind to accomplish my requirement.
> 1) Install ROOT CA Certificate(or only the public key) to the board which
> runs the SSH Server during provisioning.

This certificate  has to be installed into certificate store on server 
(to accept X.509 based user identities) and if need on client (to accept 
server host keys).

There is noting specific for this as programs based on openssl use 
similar configuration ( https://roumenpetrov.info.example.net/domino_CA/ 
) . Verification functionality is similar in such programs.
Let see manual page verify(1) for openssl command . Command has two 
options argument [-CApath directory] [-CAfile file]. With those 
arguments user could override "defaults" . Apache server uses 
SSLCACertificatePath and SSLCACertificateFile, PKIXSSH uses 
CACertificatePath and CACertificateFile, curl use --capath and --cacert .

Please consult OS vendor documentation about "default" settings.

> 2) Generate CSR from the client machine (Laptop) and get the certificate
> from Root module every time when maintenance to the board is needed.
> 3) Use this new certificate to reach the board.
> I Believe the above steps can be achieved using PKIXSSH.
I'm not sure why is expected PKIXSSH to act as certificate authority.

> My Reply/clarification in-line.
> Regards,
> Srini.
> engine "*ateccx08*" for exampe I use to pass the below command to generate
> the Key pair.
>            "*openssl engine ateccx08 -t -post GET_DEVICE_KEY:./key_data.pem*"

I saw commands supported by engine: line 59 in file 
cryptoauthlib/lib/openssl/eccx08_cmd_defns.c,  MicrochipTech github 
project "cryptoauth-openssl-engine".

 From PKIXSSH point of view this command LOAD_CERT_CTRLis important if 
you would like to use X.509 identity (and associated key) into ssh 
publickey authentication.
This is non-standard engine command and its existence is required to use 
"external" X.509 certificate in ssh authentication process.

If I read code properly command LOAD_CERT_CTRLignores passed argument . 
This meat that for client option .. -i "engine:name" ... we could use 
any string for "name" .
Another command is SET_KEY_SLOT. If I understand code this is way to use 
"name" - so it could be done in ssh engine configuration.
Option is -G engconffile, for instance "... -G ateccx08.conf ..." . 
Sample content of file ateccx08.conf:

, where 2 is slot as numeric value("Where to find the device private key").
See manual page ssh_engine(5) for details.

Next engine has commands set_signer_cert_defand set_device_cert_def. It 
seems to me those commands are planed to be used in certificate 
generation process.  Unfortunately currently ateccx08 engine implement 
them as "stubs".

Regarding you initial question "how to issue certificates" and etc. For 
this board I can not see another way for certificate creation except to 
use vendor (Microchip)program.

I hope that in chapter A) I provide to you enough information how to use 
certificate from board.

Roumen Petrov

More information about the ssh_x509 mailing list