[ssh_x509] x509v3-sign-rsa, x509v3-ssh-rsa and x509v3-rsa2048-sha256

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Sep 1 15:25:07 EEST 2021


Thanks Roumen for the response.

I use below openssl commands to generate the user certificate:

    openssl req -nodes -new -x509 -keyout  userkey.pem -out
userreq.pem -days 365 -config openssl.cnf

    openssl x509 -x509toreq -in userreq.pem -signkey userkey.pem -out tmp.pem

    openssl ca -config openssl.cnf -extensions  usr_cert -out
usercert.pem -infiles tmp.pem


I tried varying the bits size (1024/2048/4096)  and default_md
(sha1/sha256/sha512) in the openssl.cnf file.

But I see in all attempts, the generated usercert.pem is of type
public key algorithm x509-sign-rsa only. I am unable to generate the
types: x509v3-ssh-rsa and x509v3-rsa2048-sha256.

Could you please help on this - steps to generate user certificate of
these types : x509v3-ssh-rsa and x509v3-rsa2048-sha256?

Note:

1) I have my SSH server ready working authenticating user certificate
of type x509v3-sign-rsa. Looking for adding support to authenticate
user certificates of pk-alg type: x509v3-ssh-rsa and
x509v3-rsa2048-sha256.

2) I use the pkixssh-13.1 as SSH client.


Thanks & Regards,
Murugesh P.


On 8/24/21, murugesh pitchaiah <murugesh.pitchaiah at gmail.com> wrote:
> Hi,
>
> I am working on generating the x509v3 certificates for ssh user. I see
> with the default_md as 'sha256', in openssl.cnf file, the
> key/certificate is generated with algorithm type as 'x509v3-sign-rsa'.
>
> I see its signature algorithm is :
>
>     Signature Algorithm: sha256WithRSAEncryption
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>
>
> Can any one please share how to generate certificate for
> x509v3-ssh-rsa and x509v3-rsa2048-sha256 ? Basically looking for
> difference between these three type of public key algorithms ,and how
> to generate certificate of these types:
>
> x509v3-sign-rsa, x509v3-ssh-rsa and x509v3-rsa2048-sha256
>
> Because, even for x509v3-sign-rsa - I see the size is 2048 bit and it
> is sha256. Is it something to vary in 'default_md' (or newkey rsa:size
>  and -sha) fields to vary to generate these different cert types ?
>
> Thanks in advance.
>
> Regards,
> Murugesh P.
>



More information about the ssh_x509 mailing list