[ssh_x509] Certificate Procedures and Test Program

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Apr 27 12:20:17 EEST 2019

Yes, your explanation is really superb and eye opener, I think I am nearing
my goal with your help. Thanks you so much.
Steps I am following.
Server Side:
1) Installed PKIXSSH to my server, and installed my rootCA.pem file in the
Hash.No format in the "/et/ca/crt/Hash.No" path.
2) And configured other stores, mostly I think I am not gonna use those at
least now for experiment.

Client Side:
1) I have installed PKIXSSH.
2) I didn't understand the real use of IdentityFile, I believe only public
key file is sufficient to request certificate to the Microchip Program to
Sign using RootCA module. and using that certificate I can establish the
connect with the Server isn't ?
    - I read in the "*README.x509v3*" the IdentityFile should "*contain
both sections - private key and certificate in PEM format:*" what is the
need of having the Private key in the Identity file? does exposing the
Private key case the security breach?


On Sat, Apr 27, 2019 at 4:33 PM <ssh_x509 at roumenpetrov.info> wrote:

> Hi Srini.
>   ssh_x509 at roumenpetrov.info wrote:
> > Thanks Roumen Petrov,
> >     Firstly I am using Microchip's ATECC508A this chip has the engine
> > support (*ateccx08*) for the OpenSSL, so any openssl commands like
> genkey,
> > req will all dedicated to Hardware firmware.
> > Of-course this chip supports PKI Algorithms ECDSA, ECDH, and the X509
> > Certificate format. While configuring these crypto module for both Root
> and
> > Signer I have got the Root CA certificate in .Der format. and I have also
> > got a software release by Microchip which can sign/create the certificate
> > for, n number of request using my Root module. So my intention to go for
> > the Certificate based Authentication of SSH session is to have a better
> > scale and control the user login while Diagnosing the board for
> maintenance.
> ok
> > Below is the steps in my mind to accomplish my requirement.
> > 1) Install ROOT CA Certificate(or only the public key) to the board which
> > runs the SSH Server during provisioning.
> This certificate  has to be installed into certificate store on server
> (to accept X.509 based user identities) and if need on client (to accept
> server host keys).
> There is noting specific for this as programs based on openssl use
> similar configuration ( https://roumenpetrov.info.example.net/domino_CA/
> ) . Verification functionality is similar in such programs.
> Let see manual page verify(1) for openssl command . Command has two
> options argument [-CApath directory] [-CAfile file]. With those
> arguments user could override "defaults" . Apache server uses
> SSLCACertificatePath and SSLCACertificateFile, PKIXSSH uses
> CACertificatePath and CACertificateFile, curl use --capath and --cacert .
> Please consult OS vendor documentation about "default" settings.
> > 2) Generate CSR from the client machine (Laptop) and get the certificate
> > from Root module every time when maintenance to the board is needed.
> > 3) Use this new certificate to reach the board.
> >
> > I Believe the above steps can be achieved using PKIXSSH.
> I'm not sure why is expected PKIXSSH to act as certificate authority.
> > My Reply/clarification in-line.
> >
> > Regards,
> > Srini.
> [SNIP]
> > engine "*ateccx08*" for exampe I use to pass the below command to
> generate
> > the Key pair.
> >            "*openssl engine ateccx08 -t -post
> GET_DEVICE_KEY:./key_data.pem*"
> ok
> I saw commands supported by engine: line 59 in file
> cryptoauthlib/lib/openssl/eccx08_cmd_defns.c,  MicrochipTech github
> project "cryptoauth-openssl-engine".
>  From PKIXSSH point of view this command LOAD_CERT_CTRLis important if
> you would like to use X.509 identity (and associated key) into ssh
> publickey authentication.
> This is non-standard engine command and its existence is required to use
> "external" X.509 certificate in ssh authentication process.
> A)
> If I read code properly command LOAD_CERT_CTRLignores passed argument .
> This meat that for client option .. -i "engine:name" ... we could use
> any string for "name" .
> Another command is SET_KEY_SLOT. If I understand code this is way to use
> "name" - so it could be done in ssh engine configuration.
> Option is -G engconffile, for instance "... -G ateccx08.conf ..." .
> Sample content of file ateccx08.conf:
> ateccx08
> , where 2 is slot as numeric value("Where to find the device private key").
> See manual page ssh_engine(5) for details.
> B)
> Next engine has commands set_signer_cert_defand set_device_cert_def. It
> seems to me those commands are planed to be used in certificate
> generation process.  Unfortunately currently ateccx08 engine implement
> them as "stubs".
> Regarding you initial question "how to issue certificates" and etc. For
> this board I can not see another way for certificate creation except to
> use vendor (Microchip)program.
> I hope that in chapter A) I provide to you enough information how to use
> certificate from board.
> Regards,
> Roumen Petrov
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info

More information about the ssh_x509 mailing list