SSH - Implementing OpenSSH Certificates with smartcards












0















I want to implement public key authentication with CA and smart card. OpenSSH have their own certificate format, which is not x509.



I have a server (SSHD) and a client. I already made public key authentication happen with CA, now I want to insert into the equation a smart card. I use ARX cryptokit to access the smart card and I want to import my key and certificate into the smart card. When I click "Import key", it says that I need PKCS12 format certificate to import. I tried to convert my OpenSSH certificate and RSA private key to pkcs12 using Openssl, but it isn't accepting my certificate. I saw that it requires PEM encoding but I can't seem to make it happen.



So my questions:




  1. How do I convert OpenSSH certificate and key to PKCS12?

  2. Can I actually use smartcards with OpenSSH server and CA and the whole package?


Thanks in advance.



EDIT:
I will tell you the commands i wrote so there wont be any misunderstandings



Generating CA keys
Ssh-keygen -t RSA -f CA



Generating user keys
Ssh-keygen -t Rsa -f User



Signing User key
Ssh-keygen -s CA.priv -I identity -n username -V +52W User.pub



Now the output is user-cert.pub
I want to turn my certificate and private key to pkcs12 format



Openssl pkcs12 -export -out certificate.pfx -inkey user.priv -in user-cert.pub -certfile CA-cert.pub



CA-cert.pub is self signed certificate i generated the same with generating the user key.



The output of the last command is "unable to load certificates"
I tried it without the last part of "-certfile Ca-cert.pub" and the output is still the same.



hope someone has an idea.










share|improve this question













migrated from security.stackexchange.com Feb 21 at 18:16


This question came from our site for information security professionals.























    0















    I want to implement public key authentication with CA and smart card. OpenSSH have their own certificate format, which is not x509.



    I have a server (SSHD) and a client. I already made public key authentication happen with CA, now I want to insert into the equation a smart card. I use ARX cryptokit to access the smart card and I want to import my key and certificate into the smart card. When I click "Import key", it says that I need PKCS12 format certificate to import. I tried to convert my OpenSSH certificate and RSA private key to pkcs12 using Openssl, but it isn't accepting my certificate. I saw that it requires PEM encoding but I can't seem to make it happen.



    So my questions:




    1. How do I convert OpenSSH certificate and key to PKCS12?

    2. Can I actually use smartcards with OpenSSH server and CA and the whole package?


    Thanks in advance.



    EDIT:
    I will tell you the commands i wrote so there wont be any misunderstandings



    Generating CA keys
    Ssh-keygen -t RSA -f CA



    Generating user keys
    Ssh-keygen -t Rsa -f User



    Signing User key
    Ssh-keygen -s CA.priv -I identity -n username -V +52W User.pub



    Now the output is user-cert.pub
    I want to turn my certificate and private key to pkcs12 format



    Openssl pkcs12 -export -out certificate.pfx -inkey user.priv -in user-cert.pub -certfile CA-cert.pub



    CA-cert.pub is self signed certificate i generated the same with generating the user key.



    The output of the last command is "unable to load certificates"
    I tried it without the last part of "-certfile Ca-cert.pub" and the output is still the same.



    hope someone has an idea.










    share|improve this question













    migrated from security.stackexchange.com Feb 21 at 18:16


    This question came from our site for information security professionals.





















      0












      0








      0








      I want to implement public key authentication with CA and smart card. OpenSSH have their own certificate format, which is not x509.



      I have a server (SSHD) and a client. I already made public key authentication happen with CA, now I want to insert into the equation a smart card. I use ARX cryptokit to access the smart card and I want to import my key and certificate into the smart card. When I click "Import key", it says that I need PKCS12 format certificate to import. I tried to convert my OpenSSH certificate and RSA private key to pkcs12 using Openssl, but it isn't accepting my certificate. I saw that it requires PEM encoding but I can't seem to make it happen.



      So my questions:




      1. How do I convert OpenSSH certificate and key to PKCS12?

      2. Can I actually use smartcards with OpenSSH server and CA and the whole package?


      Thanks in advance.



      EDIT:
      I will tell you the commands i wrote so there wont be any misunderstandings



      Generating CA keys
      Ssh-keygen -t RSA -f CA



      Generating user keys
      Ssh-keygen -t Rsa -f User



      Signing User key
      Ssh-keygen -s CA.priv -I identity -n username -V +52W User.pub



      Now the output is user-cert.pub
      I want to turn my certificate and private key to pkcs12 format



      Openssl pkcs12 -export -out certificate.pfx -inkey user.priv -in user-cert.pub -certfile CA-cert.pub



      CA-cert.pub is self signed certificate i generated the same with generating the user key.



      The output of the last command is "unable to load certificates"
      I tried it without the last part of "-certfile Ca-cert.pub" and the output is still the same.



      hope someone has an idea.










      share|improve this question














      I want to implement public key authentication with CA and smart card. OpenSSH have their own certificate format, which is not x509.



      I have a server (SSHD) and a client. I already made public key authentication happen with CA, now I want to insert into the equation a smart card. I use ARX cryptokit to access the smart card and I want to import my key and certificate into the smart card. When I click "Import key", it says that I need PKCS12 format certificate to import. I tried to convert my OpenSSH certificate and RSA private key to pkcs12 using Openssl, but it isn't accepting my certificate. I saw that it requires PEM encoding but I can't seem to make it happen.



      So my questions:




      1. How do I convert OpenSSH certificate and key to PKCS12?

      2. Can I actually use smartcards with OpenSSH server and CA and the whole package?


      Thanks in advance.



      EDIT:
      I will tell you the commands i wrote so there wont be any misunderstandings



      Generating CA keys
      Ssh-keygen -t RSA -f CA



      Generating user keys
      Ssh-keygen -t Rsa -f User



      Signing User key
      Ssh-keygen -s CA.priv -I identity -n username -V +52W User.pub



      Now the output is user-cert.pub
      I want to turn my certificate and private key to pkcs12 format



      Openssl pkcs12 -export -out certificate.pfx -inkey user.priv -in user-cert.pub -certfile CA-cert.pub



      CA-cert.pub is self signed certificate i generated the same with generating the user key.



      The output of the last command is "unable to load certificates"
      I tried it without the last part of "-certfile Ca-cert.pub" and the output is still the same.



      hope someone has an idea.







      openssl smartcard openssh






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 27 at 16:31







      Ilay Goldman











      migrated from security.stackexchange.com Feb 21 at 18:16


      This question came from our site for information security professionals.









      migrated from security.stackexchange.com Feb 21 at 18:16


      This question came from our site for information security professionals.
























          1 Answer
          1






          active

          oldest

          votes


















          0
















          1. OpenSSL can do the coversion.



            openssl pkcs12 -export -out servercert.p12 -inkey servercert.key -in servercert.crt -certfile CACert.crt




          2. Yes, you can, but you'll need some tools:




            • one to interface to the SmartCard on the low level: the CryptoAPI / OpenCT (Win/Ux)

            • one to handle the content on the SmartCard (like OpenSC)

            • one that performs the authentication

            • one for playing with certificates and such (OpenSSL, like in example above)

            • scripts to make everything smooth (ps / perl)








          share|improve this answer
























          • Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.

            – Ilay Goldman
            Jan 28 at 21:52











          • That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.

            – Overmind
            Jan 29 at 8:35











          • Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error

            – Ilay Goldman
            Jan 29 at 8:57











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1408245%2fssh-implementing-openssh-certificates-with-smartcards%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown
























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0
















          1. OpenSSL can do the coversion.



            openssl pkcs12 -export -out servercert.p12 -inkey servercert.key -in servercert.crt -certfile CACert.crt




          2. Yes, you can, but you'll need some tools:




            • one to interface to the SmartCard on the low level: the CryptoAPI / OpenCT (Win/Ux)

            • one to handle the content on the SmartCard (like OpenSC)

            • one that performs the authentication

            • one for playing with certificates and such (OpenSSL, like in example above)

            • scripts to make everything smooth (ps / perl)








          share|improve this answer
























          • Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.

            – Ilay Goldman
            Jan 28 at 21:52











          • That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.

            – Overmind
            Jan 29 at 8:35











          • Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error

            – Ilay Goldman
            Jan 29 at 8:57
















          0
















          1. OpenSSL can do the coversion.



            openssl pkcs12 -export -out servercert.p12 -inkey servercert.key -in servercert.crt -certfile CACert.crt




          2. Yes, you can, but you'll need some tools:




            • one to interface to the SmartCard on the low level: the CryptoAPI / OpenCT (Win/Ux)

            • one to handle the content on the SmartCard (like OpenSC)

            • one that performs the authentication

            • one for playing with certificates and such (OpenSSL, like in example above)

            • scripts to make everything smooth (ps / perl)








          share|improve this answer
























          • Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.

            – Ilay Goldman
            Jan 28 at 21:52











          • That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.

            – Overmind
            Jan 29 at 8:35











          • Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error

            – Ilay Goldman
            Jan 29 at 8:57














          0












          0








          0









          1. OpenSSL can do the coversion.



            openssl pkcs12 -export -out servercert.p12 -inkey servercert.key -in servercert.crt -certfile CACert.crt




          2. Yes, you can, but you'll need some tools:




            • one to interface to the SmartCard on the low level: the CryptoAPI / OpenCT (Win/Ux)

            • one to handle the content on the SmartCard (like OpenSC)

            • one that performs the authentication

            • one for playing with certificates and such (OpenSSL, like in example above)

            • scripts to make everything smooth (ps / perl)








          share|improve this answer















          1. OpenSSL can do the coversion.



            openssl pkcs12 -export -out servercert.p12 -inkey servercert.key -in servercert.crt -certfile CACert.crt




          2. Yes, you can, but you'll need some tools:




            • one to interface to the SmartCard on the low level: the CryptoAPI / OpenCT (Win/Ux)

            • one to handle the content on the SmartCard (like OpenSC)

            • one that performs the authentication

            • one for playing with certificates and such (OpenSSL, like in example above)

            • scripts to make everything smooth (ps / perl)









          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 28 at 14:03









          OvermindOvermind

          7,98831631




          7,98831631













          • Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.

            – Ilay Goldman
            Jan 28 at 21:52











          • That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.

            – Overmind
            Jan 29 at 8:35











          • Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error

            – Ilay Goldman
            Jan 29 at 8:57



















          • Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.

            – Ilay Goldman
            Jan 28 at 21:52











          • That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.

            – Overmind
            Jan 29 at 8:35











          • Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error

            – Ilay Goldman
            Jan 29 at 8:57

















          Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.

          – Ilay Goldman
          Jan 28 at 21:52





          Hi, thanks for your answer. About the openssl command you wrote, i saw it in many sites but it did not work for me with the certificate i generated with ssh-keygen, it said couldnt load the certificates, that's why i though that it cant handle openSSH certificates.

          – Ilay Goldman
          Jan 28 at 21:52













          That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.

          – Overmind
          Jan 29 at 8:35





          That can happen if you have a chain of certificates and not just the one server certificate. In that case, you should include all intermediate certificates needed by the client to verify the chain.

          – Overmind
          Jan 29 at 8:35













          Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error

          – Ilay Goldman
          Jan 29 at 8:57





          Please look at the edit above, i put my certificate as well as the CA selfsigned certificate with the command i put there, still the same error. I even tried to turn my CA certificate which is self signed and its private key to pkcs12 so no other certificates are needed and still the same error

          – Ilay Goldman
          Jan 29 at 8:57


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1408245%2fssh-implementing-openssh-certificates-with-smartcards%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Probability when a professor distributes a quiz and homework assignment to a class of n students.

          Aardman Animations

          Are they similar matrix