Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Apropos / Subsearch:
optional field

ssh-certenroll2(1)					   ssh-certenroll2(1)


  ssh-certenroll2, ssh-certenroll - Certificate	enrollment client


  ssh-certenroll2 [-V] [-S SOCKS-server] [-P proxy-url]	[-g] [-t rsa | dsa]
  [-l key-size]	[-o base-name] [-p cmp-ref-num:cmp-key]	[-e] -a	 ca-access-
  url -s subject-name ca-cert-file  [-private-key] [-u number]


  -V  Prints the version string	and exits.

  -S SOCKS-server
      Specifies	the SOCKS server URL to	be used	when connecting	to the cer-
      tification authority.

  -P proxy-url
      Specifies	the HTTP proxy server URL to be	used when connecting to	the
      certification authority.

  -g  Generates	a new private key.

  -t rsa|dsa
      Specifies	the type of key	to be generated.  Valid	types are rsa or dsa.
      The default is rsa.

  -l key-size
      Specifies	the size of the	key to be generated (in	bits) with -g.	The
      default is 1024.

  -o base-name
      Specifies	the base prefix	of the generated files.	 The private key, if
      generated, will be <&lt;base>&gt;.prv and	the certificate	will be	<&lt;base>&gt;-
      num.crt .

  -p cmp-ref-num:cmp-key
      Specifies	the CMP	enrollment reference number and	key (the preshared

  -e  Enables the extensions in	the subject name.  If, for example, ip,	dns,
      or email extensions are used, the	-e option must be present.

  -a ca-access-url
      Specifies	the full URL to	the certification authority.

  -s subject-dn-name ca-cert-file
      Specifyies the subject name for the certificate.	For example,
      c=ca,o=acme,ou=development,cn=Rami Romi would specify the	common user
      name "Rami Romi" in the organizational unit "development"	in the
      organization "acme" in Canada ("ca").  If	extensions such	as e-mail are
      needed, the subject name could look like this:
	   c=ca,o=acme,ou=development,cn=Rami Romi;email=rami_romi@acme.ca

      In this case, the	-e option is required to enable	subject	name exten-
      tions.  Some possible extentions include ip, dns,	and email.

  -u number
      Optionally gives the key usage bits.


  The ssh-certenroll2 command allows users to enroll certificates.  It will
  connect to a certification authority (CA) and	use the	CMPv2 protocol for
  enrolling a certificate.  The	user can supply	an existing private key	when
  creating the certification request or	allow a	new key	to be generated.


  SSH is a registered trademark	of SSH Communication Security Ltd.


   1.  Enroll a	certificate and	generate a DSA private key:
	    ssh-certenroll2 -g -t dsa -o mykey -p 12345:abcd -S
	    socks://fw.myfirm.com:1080 -a http://www.ca-auth.domain:8080/pkix/ -s
	    "c=fi,o=acme,cn=Rami Romi" ca-certificate.crt

       This will generate a private key	called mykey.prv and a certificate
       called mykey-0.crt.

   2.  Enroll a	certificate using a supplied private key and provide an	e-
       mail extension:
	    ssh-certenroll2 -o mykey -p	12345:ab -a http://www.ca-
	    auth.domain:8080/pkix/ -s "c=ca,o=acme,cn=Rami Romi;email=rami@acme.ca" ca-
	    certificate.crt my_private_key.prv

       This will generate and enroll a certificate called mykey-0.crt.


	  Specifies the	SOCKS server (if any) to use when connecting to	the
	  certification	authority.  See	ssh2 for the format of this variable.


      Used for the "SocksServer" option	only.

      Used for the "SocksServer" option	only..


  Guides: Security Administration