[ssh_x509] x509v3-sign-rsa, x509v3-ssh-rsa and x509v3-rsa2048-sha256

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Aug 31 22:58:33 EEST 2021


ssh_x509 at roumenpetrov.info wrote:
> Hi,
> I am working on generating the x509v3 certificates for ssh user. I see
> with the default_md as 'sha256', in openssl.cnf file, the
> key/certificate is generated with algorithm type as 'x509v3-sign-rsa'.
SecSH public key algorithms does not depend from issuer.

> I see its signature algorithm is :
>      Signature Algorithm: sha256WithRSAEncryption
>              Public Key Algorithm: rsaEncryption
>                  Public-Key: (2048 bit)
> Can any one please share how to generate certificate for
> x509v3-ssh-rsa and x509v3-rsa2048-sha256 ? Basically looking for
> difference between these three type of public key algorithms ,and how
> to generate certificate of these types:

RSA key is base.
SecSH public key algorithm depends from many factors.
- server supported  algorithms - A, B, C ...
- client supported algorithms -D, E, F ...
- client preferred algorithms -F, D, E ...

> x509v3-sign-rsa, x509v3-ssh-rsa and x509v3-rsa2048-sha256
> Because, even for x509v3-sign-rsa - I see the size is 2048 bit and it
> is sha256. Is it something to vary in 'default_md' (or newkey rsa:size
>   and -sha) fields to vary to generate these different cert types ?
You could generate it according CA policy. This is separate and independent process.

In PKIX-SSH you could control algorithms.
For instance on daemon side ( see sshd_config(5), for instance https://securebox.termoneplus.com/man5/sshd_config.5.html ) :
- AcceptedAlgorithms
- PubkeyAlgorithms
- HostbasedAlgorithms
- HostKeyAlgorithms

on client side ( see ssh_config(5), for instance https://securebox.termoneplus.com/man5/ssh_config.5.html ) :
- PubkeyAlgorithms
- HostbasedAlgorithms
- HostKeyAlgorithms

Also you could tine on both sides with X509KeyAlgorithm but this is for advanced use. More or less it is to support specific implementation.

Remark: by default list is :
- x509v3-rsa2048-sha256
- x509v3-ssh-rsa
- x509v3-sign-rsa

As you report x509v3-sign-rsa I guess that connection is to server that does not support "Extension Negotiation in the Secure Shell (SSH) Protocol", RFC 8308 or PKIX-SSH version is old.

> Thanks in advance.
> Regards,
> Murugesh P.

Roumen Petrov

More information about the ssh_x509 mailing list