[ssh_x509] Certificate Procedures and Test Program

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue May 7 11:24:28 EEST 2019

Thank you,
   In the README.x509v3 file under the "X509 store" options, what is the
difference between *CACertificatePath* and *CACertificateFile* because
the CACertificateFile is not under the path directory pointed by
The definition says "certificates of certificate signers" , I believe this
means to verify the chain of certificates. and I do have one, a Root and
Intermediate concatenated ( bundled ), so now I am confused where to keep
my bundle? To me CACertificateFile feels like appropriate. in that case
what is the use of CACertificatePath.

Similar confusion between CARevocationFile and CARevocationPath.

Please clarify.


On Mon, Apr 29, 2019 at 1:28 AM <ssh_x509 at roumenpetrov.info> wrote:

> Hi
> ssh_x509 at roumenpetrov.info wrote:
> > [SNIP]
> > 2) I didn't understand the real use of IdentityFile, I believe only
> public
> > key file is sufficient to request certificate to the Microchip Program to
> > Sign using RootCA module. and using that certificate I can establish the
> > connect with the Server isn't ?
> >      - I read in the "*README.x509v3*" the IdentityFile should "*contain
> > both sections - private key and certificate in PEM format:*" what is the
> > need of having the Private key in the Identity file? does exposing the
> > Private key case the security breach?
> > [SNIP]
> By default "Identity file" has only private key.
> It is recommended to be password protected with permission suitable only
> for owner access.
> Public key could be generated from private with command ssh-keygen -y -f
> ....
> Only public part is shared with remote.
> Program checks for permission of private key refuse to use key
> "Permissions ...  '....' are too open.
> If identity is stored in file "foo" public part is in foo.pub.
> Now about certificate based identity.
> For custom certificate OpenBSD team decides to use "external file". If I
> remember well custom has only one level.
> By design I prefer for use that same file to store certificate that
> match key and other certificates.
> More or less this is like to expand whole content of a PKCS#12 file
> (openssl pkcs12 -in ....
> Also from identity file we could create pcs12 file :  openssl pkcs12
> -export  -in identity -out identity.p12 ...
> Technically I could design program to use foo.cert, foo.cert1 and
> foo.certN.
> If certificate chain has intermediate certificates solution with
> "single" file is more easy to maintain.
> Remarks:
> - ssh-keygen -y -f  also has to be used to create pub-file;
> - nevertheless that identity has certificates private part(key) has to
> be password protected;
> - intermediate certificates could be added to "x509 certificate store"
> instead user identity. This depend of algorithms used in authentication;
> - certificate chain is required for algorithms described in rfc6187 but
> not used in "legacy" one (draft-ietf-secsh-transport-12.txt) .
> Now about authentication process.
> Client try authentication with public part of first identity. In this
> phase is used pub-file (if exist) just to avoid user password.
> If identity is accepted by server client sends "signed" packet. Signing
> requires "private" part and user has to enter password, pin and so on.
> Remark: use of agent changes this part .
> Authentication process is described in detail in a number of documents
> (RFC) - see section "CONFORMING TO" in manual page ssh(1)
> In conclusion identity is not same as private key stored in a file.
> In authentication is used public part of identity either generated from
> private key or X509 certificate that match private. Private part is used
> only to sign an explicitly designed packet.
> Roumen
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info

More information about the ssh_x509 mailing list