Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The output of 'generate_client_certificate.sh' is a .tar archive that contains the certificate, the public key that is used to authenticate servers as well as an instruction to install the certificate on the client's machine. It is stored in the home directory '$HOME/signed_keys'.

4 -

...

To sign host's public keys there is the script 'generate_host_certificate.sh' to simplify the procedure.
The scripts does have the following options:

  • -I
    • This takes the HOST_ID of the server.
    • e.g host.netdef.org
  • -f
    • The file that contains all the keys.
  • -V
    • Add the validity interval of a certificate
    • Per default a certificate is valid for one year.
    • More information can be found here: validity_interval
  • -n
    • This flag restricts the certificate to a list of principals that the host is known by.

The output of 'generate_host_certificate.sh' is the certificate 'HOST_ID-cert.pub' that needs to be copied to the host. It is stored in the home directory '$HOME/signed_keys'.

...

Troubleshooting

Export public key

Code Block
languagebash
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"
ssh-keygen -D PATH_TO_YKCS11 -e

...