[ssh_x509] x509v3-ssh-rsa hostkey algorithm on Cisco IOS XE

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Feb 23 12:15:15 EET 2020

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
> [SNIP]
>> I'm not sure what you mean by CA.
> CA is for regular Certificate Authority. For sake of an example, here's
> reference of the SSH CA implementation -
Ah so custom one.

PKIX-SSH support industrial standards.
CA certificates are located in CACertificateFile, CACertificatePath.
Revocation list in CARevocationFile and CARevocationPath.
Ldap as store is supported as well.
Also for client there is "User" store.
This was point before.

Note that custom CA are so elementary and with limited functionality.

> https://smallstep.com/blog/use-ssh-certificates/, I do run SSH CA for
> GNU/Linux systems and have a single line in known_hosts on the SSH client
> to trust all the systems in a certain domain (this is ssh-rsa-cert-v01
> hostkey algorithm):
>      @cert-authority *.lab.local ssh-rsa <public key of the SSH CA in
> ssh-rsa format>
> My idea was to to the same, but for Cisco IOS, so I've spun up a simple CA
> using OpenSSL, on that CA I've issued a cert that I put on my SSH server
> (Cisco IOS XE) that uses x509v3-ssh-rsa hostkey algorithm.

I guess that I understand request. You would like to avoid per host 
entries in known host file.

For X.509 there is standard mechanisms mapping host names to certificates.
It is mentioned in [RFC6187] with reference to section of [RFC5280].
Mechanisms is not implemented yet. Patches are welcome.

> [SNIP]
> ---
> Sergei Fomin

Roumen Petrov

More information about the ssh_x509 mailing list