unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



ssh-certenroll2(1)					   ssh-certenroll2(1)



NAME

  ssh-certenroll2, ssh-certenroll - Certificate	enrollment client

SYNOPSIS

  ssh-certenroll2 [-V] [-S SOCKS-server] [-P proxy-url]	[-g] [-t rsa | dsa]
  [-l key-size]	[-o base-name] [-p cmp-ref-num:cmp-key]	[-e] -a	 ca-access-
  url -s subject-name ca-cert-file  [-private-key] [-u number]

OPTIONS

  -V  Prints the version string	and exits.

  -S SOCKS-server
      Specifies	the SOCKS server URL to	be used	when connecting	to the cer-
      tification authority.

  -P proxy-url
      Specifies	the HTTP proxy server URL to be	used when connecting to	the
      certification authority.

  -g  Generates	a new private key.

  -t rsa|dsa
      Specifies	the type of key	to be generated.  Valid	types are rsa or dsa.
      The default is rsa.

  -l key-size
      Specifies	the size of the	key to be generated (in	bits) with -g.	The
      default is 1024.

  -o base-name
      Specifies	the base prefix	of the generated files.	 The private key, if
      generated, will be <&lt;base>&gt;.prv and	the certificate	will be	<&lt;base>&gt;-
      num.crt .

  -p cmp-ref-num:cmp-key
      Specifies	the CMP	enrollment reference number and	key (the preshared
      secret).

  -e  Enables the extensions in	the subject name.  If, for example, ip,	dns,
      or email extensions are used, the	-e option must be present.

  -a ca-access-url
      Specifies	the full URL to	the certification authority.

  -s subject-dn-name ca-cert-file
      Specifyies the subject name for the certificate.	For example,
      c=ca,o=acme,ou=development,cn=Rami Romi would specify the	common user
      name "Rami Romi" in the organizational unit "development"	in the
      organization "acme" in Canada ("ca").  If	extensions such	as e-mail are
      needed, the subject name could look like this:
	   c=ca,o=acme,ou=development,cn=Rami Romi;email=rami_romi@acme.ca

      In this case, the	-e option is required to enable	subject	name exten-
      tions.  Some possible extentions include ip, dns,	and email.

  -u number
      Optionally gives the key usage bits.

DESCRIPTION

  The ssh-certenroll2 command allows users to enroll certificates.  It will
  connect to a certification authority (CA) and	use the	CMPv2 protocol for
  enrolling a certificate.  The	user can supply	an existing private key	when
  creating the certification request or	allow a	new key	to be generated.

LEGAL NOTICES

  SSH is a registered trademark	of SSH Communication Security Ltd.

EXAMPLES

   1.  Enroll a	certificate and	generate a DSA private key:
	    ssh-certenroll2 -g -t dsa -o mykey -p 12345:abcd -S
	    socks://fw.myfirm.com:1080 -a http://www.ca-auth.domain:8080/pkix/ -s
	    "c=fi,o=acme,cn=Rami Romi" ca-certificate.crt


       This will generate a private key	called mykey.prv and a certificate
       called mykey-0.crt.

   2.  Enroll a	certificate using a supplied private key and provide an	e-
       mail extension:
	    ssh-certenroll2 -o mykey -p	12345:ab -a http://www.ca-
	    auth.domain:8080/pkix/ -s "c=ca,o=acme,cn=Rami Romi;email=rami@acme.ca" ca-
	    certificate.crt my_private_key.prv


       This will generate and enroll a certificate called mykey-0.crt.

ENVIRONMENT VARIABLES

  SSH_SOCKS_SERVER
	  Specifies the	SOCKS server (if any) to use when connecting to	the
	  certification	authority.  See	ssh2 for the format of this variable.

FILES

  $SERVER_DIR/ssh2/ssh2_config
      Used for the "SocksServer" option	only.

  $HOME/.ssh2/ssh2_config
      Used for the "SocksServer" option	only..

SEE ALSO

  Guides: Security Administration