ssh-certenroll2, ssh-certenroll - Certificate enrollment
ssh-certenroll2 [-V] [-S SOCKS-server] [-P proxy-url] [-g]
[-t rsa | dsa] [-l key-size] [-o base-name] [-p cmp-refnum:cmp-key]
[-e] -a ca-access-url -s subject-name cacert-file
[-private-key] [-u number]
Prints the version string and exits. Specifies the SOCKS
server URL to be used when connecting to the certification
authority. Specifies the HTTP proxy server URL to be used
when connecting to the certification authority. Generates
a new private key. Specifies the type of key to be generated.
Valid types are rsa or dsa. The default is rsa.
Specifies the size of the key to be generated (in bits)
with -g. The default is 1024. Specifies the base prefix
of the generated files. The private key, if generated,
will be <base>.prv and the certificate will be
<base>-num.crt . Specifies the CMP enrollment reference
number and key (the preshared secret). Enables the extensions
in the subject name. If, for example, ip, dns, or
email extensions are used, the -e option must be present.
Specifies the full URL to the certification authority.
Specifyies the subject name for the certificate. For
example, c=ca,o=acme,ou=development,cn=Rami Romi would
specify the common user name "Rami Romi" in the organizational
unit "development" in the organization "acme" in
Canada ("ca"). If extensions such as e-mail are needed,
the subject name could look like this:
In this case, the -e option is required to enable
subject name extentions. Some possible extentions
include ip, dns, and email. Optionally gives the
key usage bits.
The ssh-certenroll2 command allows users to enroll certificates.
It will connect to a certification authority
(CA) and use the CMPv2 protocol for enrolling a certificate.
The user can supply an existing private key when
creating the certification request or allow a new key to
SSH is a registered trademark of SSH Communication Security
Enroll a certificate and generate a DSA private key: sshcertenroll2
-g -t dsa -o mykey -p 12345:abcd -S
socks://fw.myfirm.com:1080 -a http://www.ca-
auth.domain:8080/pkix/ -s "c=fi,o=acme,cn=Rami Romi" cacertificate.crt
This will generate a private key called mykey.prv
and a certificate called mykey-0.crt. Enroll a
certificate using a supplied private key and provide
an e-mail extension: ssh-certenroll2 -o mykey
-p 12345:ab -a http://www.ca-
auth.domain:8080/pkix/ -s "c=ca,o=acme,cn=Rami
Romi;email@example.com" ca- certificate.crt
This will generate and enroll a certificate called
ENVIRONMENT VARIABLES [Toc] [Back]
Specifies the SOCKS server (if any) to use when connecting
to the certification authority. See ssh2 for the format
of this variable.
Used for the "SocksServer" option only. Used for the
"SocksServer" option only..
Guides: Security Administration
[ Back ]