SSH - Implementing OpenSSH Certificates with smartcards
I want to implement public key authentication with CA and smart card. OpenSSH have their own certificate format, which is not x509.
I have a server (SSHD) and a client. I already made public key authentication happen with CA, now I want to insert into the equation a smart card. I use ARX cryptokit to access the smart card and I want to import my key and certificate into the smart card. When I click "Import key", it says that I need PKCS12 format certificate to import. I tried to convert my OpenSSH certificate and RSA private key to pkcs12 using Openssl, but it isn't accepting my certificate. I saw that it requires PEM encoding but I can't seem to make it happen.
So my questions:
- How do I convert OpenSSH certificate and key to PKCS12?
- Can I actually use smartcards with OpenSSH server and CA and the whole package?
Thanks in advance.
EDIT:
I will tell you the commands i wrote so there wont be any misunderstandings
Generating CA keys
Ssh-keygen -t RSA -f CA
Generating user keys
Ssh-keygen -t Rsa -f User
Signing User key
Ssh-keygen -s CA.priv -I identity -n username -V +52W User.pub
Now the output is user-cert.pub
I want to turn my certificate and private key to pkcs12 format
Openssl pkcs12 -export -out certificate.pfx -inkey user.priv -in user-cert.pub -certfile CA-cert.pub
CA-cert.pub is self signed certificate i generated the same with generating the user key.
The output of the last command is "unable to load certificates"
I tried it without the last part of "-certfile Ca-cert.pub" and the output is still the same.
hope someone has an idea.
openssl smartcard openssh
migrated from security.stackexchange.com Feb 21 at 18:16
This question came from our site for information security professionals.
add a comment |
I want to implement public key authentication with CA and smart card. OpenSSH have their own certificate format, which is not x509.
I have a server (SSHD) and a client. I already made public key authentication happen with CA, now I want to insert into the equation a smart card. I use ARX cryptokit to access the smart card and I want to import my key and certificate into the smart card. When I click "Import key", it says that I need PKCS12 format certificate to import. I tried to convert my OpenSSH certificate and RSA private key to pkcs12 using Openssl, but it isn't accepting my certificate. I saw that it requires PEM encoding but I can't seem to make it happen.
So my questions:
- How do I convert OpenSSH certificate and key to PKCS12?
- Can I actually use smartcards with OpenSSH server and CA and the whole package?
Thanks in advance.
EDIT:
I will tell you the commands i wrote so there wont be any misunderstandings
Generating CA keys
Ssh-keygen -t RSA -f CA
Generating user keys
Ssh-keygen -t Rsa -f User
Signing User key
Ssh-keygen -s CA.priv -I identity -n username -V +52W User.pub
Now the output is user-cert.pub
I want to turn my certificate and private key to pkcs12 format
Openssl pkcs12 -export -out certificate.pfx -inkey user.priv -in user-cert.pub -certfile CA-cert.pub
CA-cert.pub is self signed certificate i generated the same with generating the user key.
The output of the last command is "unable to load certificates"
I tried it without the last part of "-certfile Ca-cert.pub" and the output is still the same.
hope someone has an idea.
openssl smartcard openssh
migrated from security.stackexchange.com Feb 21 at 18:16
This question came from our site for information security professionals.
add a comment |
I want to implement public key authentication with CA and smart card. OpenSSH have their own certificate format, which is not x509.
I have a server (SSHD) and a client. I already made public key authentication happen with CA, now I want to insert into the equation a smart card. I use ARX cryptokit to access the smart card and I want to import my key and certificate into the smart card. When I click "Import key", it says that I need PKCS12 format certificate to import. I tried to convert my OpenSSH certificate and RSA private key to pkcs12 using Openssl, but it isn't accepting my certificate. I saw that it requires PEM encoding but I can't seem to make it happen.
So my questions:
- How do I convert OpenSSH certificate and key to PKCS12?
- Can I actually use smartcards with OpenSSH server and CA and the whole package?
Thanks in advance.
EDIT:
I will tell you the commands i wrote so there wont be any misunderstandings
Generating CA keys
Ssh-keygen -t RSA -f CA
Generating user keys
Ssh-keygen -t Rsa -f User
Signing User key
Ssh-keygen -s CA.priv -I identity -n username -V +52W User.pub
Now the output is user-cert.pub
I want to turn my certificate and private key to pkcs12 format
Openssl pkcs12 -export -out certificate.pfx -inkey user.priv -in user-cert.pub -certfile CA-cert.pub
CA-cert.pub is self signed certificate i generated the same with generating the user key.
The output of the last command is "unable to load certificates"
I tried it without the last part of "-certfile Ca-cert.pub" and the output is still the same.
hope someone has an idea.
openssl smartcard openssh
I want to implement public key authentication with CA and smart card. OpenSSH have their own certificate format, which is not x509.
I have a server (SSHD) and a client. I already made public key authentication happen with CA, now I want to insert into the equation a smart card. I use ARX cryptokit to access the smart card and I want to import my key and certificate into the smart card. When I click "Import key", it says that I need PKCS12 format certificate to import. I tried to convert my OpenSSH certificate and RSA private key to pkcs12 using Openssl, but it isn't accepting my certificate. I saw that it requires PEM encoding but I can't seem to make it happen.
So my questions:
- How do I convert OpenSSH certificate and key to PKCS12?
- Can I actually use smartcards with OpenSSH server and CA and the whole package?
Thanks in advance.
EDIT:
I will tell you the commands i wrote so there wont be any misunderstandings
Generating CA keys
Ssh-keygen -t RSA -f CA
Generating user keys
Ssh-keygen -t Rsa -f User
Signing User key
Ssh-keygen -s CA.priv -I identity -n username -V +52W User.pub
Now the output is user-cert.pub
I want to turn my certificate and private key to pkcs12 format
Openssl pkcs12 -export -out certificate.pfx -inkey user.priv -in user-cert.pub -certfile CA-cert.pub
CA-cert.pub is self signed certificate i generated the same with generating the user key.
The output of the last command is "unable to load certificates"
I tried it without the last part of "-certfile Ca-cert.pub" and the output is still the same.
hope someone has an idea.
openssl smartcard openssh
openssl smartcard openssh
asked Jan 27 at 16:31
Ilay Goldman
migrated from security.stackexchange.com Feb 21 at 18:16
This question came from our site for information security professionals.
migrated from security.stackexchange.com Feb 21 at 18:16
This question came from our site for information security professionals.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
OpenSSL can do the coversion.
openssl pkcs12 -export -out servercert.p12 -inkey servercert.key -in servercert.crt -certfile CACert.crt
Yes, you can, but you'll need some tools:
- one to interface to the SmartCard on the low level: the CryptoAPI / OpenCT (Win/Ux)
- one to handle the content on the SmartCard (like OpenSC)
- one that performs the authentication
- one for playing with certificates and such (OpenSSL, like in example above)
- scripts to make everything smooth (ps / perl)
Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.
– Ilay Goldman
Jan 28 at 21:52
That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.
– Overmind
Jan 29 at 8:35
Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error
– Ilay Goldman
Jan 29 at 8:57
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1408245%2fssh-implementing-openssh-certificates-with-smartcards%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
OpenSSL can do the coversion.
openssl pkcs12 -export -out servercert.p12 -inkey servercert.key -in servercert.crt -certfile CACert.crt
Yes, you can, but you'll need some tools:
- one to interface to the SmartCard on the low level: the CryptoAPI / OpenCT (Win/Ux)
- one to handle the content on the SmartCard (like OpenSC)
- one that performs the authentication
- one for playing with certificates and such (OpenSSL, like in example above)
- scripts to make everything smooth (ps / perl)
Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.
– Ilay Goldman
Jan 28 at 21:52
That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.
– Overmind
Jan 29 at 8:35
Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error
– Ilay Goldman
Jan 29 at 8:57
add a comment |
OpenSSL can do the coversion.
openssl pkcs12 -export -out servercert.p12 -inkey servercert.key -in servercert.crt -certfile CACert.crt
Yes, you can, but you'll need some tools:
- one to interface to the SmartCard on the low level: the CryptoAPI / OpenCT (Win/Ux)
- one to handle the content on the SmartCard (like OpenSC)
- one that performs the authentication
- one for playing with certificates and such (OpenSSL, like in example above)
- scripts to make everything smooth (ps / perl)
Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.
– Ilay Goldman
Jan 28 at 21:52
That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.
– Overmind
Jan 29 at 8:35
Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error
– Ilay Goldman
Jan 29 at 8:57
add a comment |
OpenSSL can do the coversion.
openssl pkcs12 -export -out servercert.p12 -inkey servercert.key -in servercert.crt -certfile CACert.crt
Yes, you can, but you'll need some tools:
- one to interface to the SmartCard on the low level: the CryptoAPI / OpenCT (Win/Ux)
- one to handle the content on the SmartCard (like OpenSC)
- one that performs the authentication
- one for playing with certificates and such (OpenSSL, like in example above)
- scripts to make everything smooth (ps / perl)
OpenSSL can do the coversion.
openssl pkcs12 -export -out servercert.p12 -inkey servercert.key -in servercert.crt -certfile CACert.crt
Yes, you can, but you'll need some tools:
- one to interface to the SmartCard on the low level: the CryptoAPI / OpenCT (Win/Ux)
- one to handle the content on the SmartCard (like OpenSC)
- one that performs the authentication
- one for playing with certificates and such (OpenSSL, like in example above)
- scripts to make everything smooth (ps / perl)
answered Jan 28 at 14:03
OvermindOvermind
7,98831631
7,98831631
Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.
– Ilay Goldman
Jan 28 at 21:52
That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.
– Overmind
Jan 29 at 8:35
Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error
– Ilay Goldman
Jan 29 at 8:57
add a comment |
Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.
– Ilay Goldman
Jan 28 at 21:52
That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.
– Overmind
Jan 29 at 8:35
Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error
– Ilay Goldman
Jan 29 at 8:57
Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.
– Ilay Goldman
Jan 28 at 21:52
Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.
– Ilay Goldman
Jan 28 at 21:52
That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.
– Overmind
Jan 29 at 8:35
That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.
– Overmind
Jan 29 at 8:35
Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error
– Ilay Goldman
Jan 29 at 8:57
Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error
– Ilay Goldman
Jan 29 at 8:57
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1408245%2fssh-implementing-openssh-certificates-with-smartcards%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown