Abstract

As there are two different certificates, there are two individual tasks in order to setup a hosts. If one would like to use only one certificate, execute the corresponding task.

Host Certificate

To enable certificate based login on a host, its public rsa key needs to be singed by the CA authority. TO do so copy the public rsa key 'ssh_host_rsa_key.pub' needs to be signedthe CA, signed it and copy the certificate back to the host. The resulting certificate is called 'ssh_host_rsa_key-cert.pub'. To enable ssh based login two things are required on the host:

...

Step 1 - Host Certifiacte

To tell the SSH daemon about the certificate add the following configuration lines to the file '/etc/ssh/sshd_config'. In addition copy the certificate to the specified location. The host sends this certificate to the client to identify itsself itself as a trusted host.

### Host certificate
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

...

Client Certificate

Add the following lines to the file '/etc/ssh/sshd_config' to tell the SSH daemon about the public key to verify client certificates. In addition copy the public key to the specified location. The host trusts all certificates the are signed by our CA.

...