ssh-certenroll2(1)ssh-certenroll2(1)NAME
ssh-certenroll2, ssh-certenroll - Certificate enrollment client
SYNOPSIS
ssh-certenroll2 [-V] [-S SOCKS-server] [-P proxy-url] [-g] [-t rsa |
dsa] [-l key-size] [-o base-name] [-p cmp-ref-num:cmp-key] [-e] -a ca-
access-url -s subject-name ca-cert-file [-private-key] [-u number]
OPTIONS
Prints the version string and exits. Specifies the SOCKS server URL to
be used when connecting to the certification authority. Specifies the
HTTP proxy server URL to be used when connecting to the certification
authority. Generates a new private key. Specifies the type of key to
be generated. Valid types are rsa or dsa. The default is rsa. Speci‐
fies the size of the key to be generated (in bits) with -g. The
default is 1024. Specifies the base prefix of the generated files.
The private key, if generated, will be <base>.prv and the certificate
will be <base>-num.crt . Specifies the CMP enrollment reference number
and key (the preshared secret). Enables the extensions in the subject
name. If, for example, ip, dns, or email extensions are used, the -e
option must be present. Specifies the full URL to the certification
authority. Specifyies the subject name for the certificate. For exam‐
ple, c=ca,o=acme,ou=development,cn=Rami Romi would specify the common
user name “Rami Romi” in the organizational unit “development” in the
organization “acme” in Canada (“ca”). If extensions such as e-mail are
needed, the subject name could look like this: c=ca,o=acme,ou=develop‐
ment,cn=Rami Romi;email=rami_romi@acme.ca
In this case, the -e option is required to enable subject name
extentions. Some possible extentions include ip, dns, and
email. Optionally gives the key usage bits.
DESCRIPTION
The ssh-certenroll2 command allows users to enroll certificates. It
will connect to a certification authority (CA) and use the CMPv2 proto‐
col for enrolling a certificate. The user can supply an existing pri‐
vate key when creating the certification request or allow a new key to
be generated.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
EXAMPLES
Enroll a certificate and generate a DSA private key: ssh-certenroll2 -g
-t dsa -o mykey -p 12345:abcd -S socks://fw.myfirm.com:1080 -a
http://www.ca-auth.domain:8080/pkix/ -s "c=fi,o=acme,cn=Rami Romi" ca-
certificate.crt
This will generate a private key called mykey.prv and a certifi‐
cate called mykey-0.crt. Enroll a certificate using a supplied
private key and provide an e-mail extension: ssh-certenroll2 -o
mykey -p 12345:ab -a http://www.ca- auth.domain:8080/pkix/ -s
"c=ca,o=acme,cn=Rami Romi;email=rami@acme.ca" ca- certifi‐
cate.crt my_private_key.prv
This will generate and enroll a certificate called mykey-0.crt.
ENVIRONMENT VARIABLES
Specifies the SOCKS server (if any) to use when connecting to the cer‐
tification authority. See ssh2 for the format of this variable.
FILES
Used for the "SocksServer" option only. Used for the "SocksServer"
option only..
SEE ALSO
Guides: Security Administration
ssh-certenroll2(1)
