{"componentChunkName":"component---src-templates-manual-template-tsx","path":"/manuals/client-user/44/Examples.html","webpackCompilationHash":"d1750f6cc413894a8b5c","result":{"data":{"promoBlocks":{"edges":[{"node":{"contentful_id":"47glnSpWzXeFylv2vfQEF8","internal":{"type":"ContentfulPromotionBlock"},"title":{"internal":{"type":"ContentfulHeading"},"contentful_id":"7KIOfSfgwJnCXuvRN6CfrP","textContent":"Standing privileges are a risk with PAM","color":"black","size":"medium"},"subTitle":null,"content":{"nodeType":"document","internal":{"content":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Start your journey towards a just-in-time (JIT) model with zero standing privileges (ZSP). Read 'Remove Standing Privileges Through a Just-In-Time PAM Approach' by Gartner , courtesy of SSH.COM.\\n \\n\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"}},"callToAction":{"internal":{"type":"ContentfulButton"},"contentful_id":"19EUesynV2Z7HHcuJk0BAS","content":"Download Gartner research","internalLink":null,"externalLink":"https://info.ssh.com/gartner_research_privileged_access_management","assetLink":null,"anchor":null},"picture":{"internal":{"type":"ContentfulAsset"},"contentful_id":"2ClylmBswcfDx4XdO7NTmL","title":"ICON Gartner ZSP","description":"","file":{"url":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png","contentType":"image/png"},"fluid":{"aspectRatio":1,"src":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=3000&q=50","srcSet":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=750&h=750&q=50 750w,\n//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=1500&h=1500&q=50 1500w,\n//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=1601&h=1601&q=50 1601w","sizes":"(max-width: 3000px) 100vw, 3000px"},"fixed":{"width":3000,"height":3000,"src":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=3000&q=50","srcSet":""}},"centered":true,"indentMainContent":null,"transparentBackground":null,"imageScale":70,"imagePadding":null,"name":"WIKI migration side promo block2","product":null,"funnel":null,"topic":null,"keywords":null,"type":null,"priority":null,"globalOverride":null}},{"node":{"contentful_id":"6dfNaA1UlY4bADKQk6awhs","internal":{"type":"ContentfulPromotionBlock"},"title":{"internal":{"type":"ContentfulHeading"},"contentful_id":"49Tb2wSR21P5C2cpcgMZ3","textContent":"Get Multi-cloud PAM software - for free!","color":"black","size":"medium"},"subTitle":null,"content":{"nodeType":"document","internal":{"content":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"PrivX® Free replaces your in-house jump hosts and combines your AWS, GCP and Azure access into one multi-cloud solution.\\n \\n\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"}},"callToAction":{"internal":{"type":"ContentfulButton"},"contentful_id":"1dmQ13jyyZ46ID07eVNVFb","content":"PrivX Free","internalLink":null,"externalLink":"https://info.ssh.com/privx-free-access-management-software","assetLink":null,"anchor":null},"picture":{"internal":{"type":"ContentfulAsset"},"contentful_id":"4UUYdjING8micwZQur5o6d","title":"ICON computer (search)","description":"","file":{"url":"//images.ctfassets.net/0lvk5dbamxpi/4UUYdjING8micwZQur5o6d/1b378a0f4646075c7a4788f1afffbabe/ICON_computer__search_.svg","contentType":"image/svg+xml"},"fluid":{"aspectRatio":null,"src":null,"srcSet":null,"sizes":null},"fixed":{"width":null,"height":null,"src":null,"srcSet":null}},"centered":true,"indentMainContent":null,"transparentBackground":null,"imageScale":70,"imagePadding":null,"name":"WIKI migration side promo block1","product":null,"funnel":null,"topic":null,"keywords":null,"type":null,"priority":null,"globalOverride":null}}]}},"pageContext":{"isCreatedByStatefulCreatePages":false,"body":"
\n\n\n\n \n \n \n \n \n
\"SSH\n \n  \n \n \"\"
\n\n\n\n\n \n \n\n \n \n
\"\"\n \n \n \n \n
\"\"
\n
\n\n\n\n\"\"\n\n\n\n\n\n\n\"\" \n\n
\n
\n \n \n \n \n\n
\"\"\n \n \n \n \n \n\t\n\t\n\t
\n\n\n\n
\"Previous\"\n\"Next\"\n\"Up\"\n[Contents]\n[Index]\n
\n

\n
\n    About This Document>>
\n    Installing SSH Tectia Client >>
\n    Getting Started >>
\n    Configuring SSH Tectia Client >>
\n    Connecting to a Remote Host Computer>>
\n    Transferring Files>>
\n    Tunneling Applications>>
\n    GUI Reference>>
\n    Troubleshooting >>
\n    Command-Line Tools >>
\n        ssh2 >>
\n        scp2 >>
\n        sftp2 >>
\n        ssh-keygen2 >>
\n        ssh-cmpclient >>
\n            Synopsis
\n            Description
\n            Commands
\n            Options
\n            Examples
\n        ssh-certview >>
\n\n
\n\n

Examples

\n\n

The following ssh-cmpclient examples use pki.ssh.com \n(http://pki.ssh.com/), a free \ntest PKI interoperability site maintained by SSH Communications \nSecurity. You can try the commands \"as is\" for enrolling certificates to \nyour server. If you are behind a company firewall, you may need to \nprovide a complete SOCKS server URL to ssh-cmpclient with \nthe -S option (for example, -S http://fw.yourdomain.com:1080).\n\n

\n\n

Initial Certificate Enrollment

\n\n

This example provides commands for enrolling an initial certificate for \ndigital signature use from the pki.ssh.com interoperability \nsite. It generates a private key into a PKCS #8 plaintext file named \ninitial.prv, and stores the enrolled certificate into file \ninitial-0.crt. The user is authenticated to the CA with the key \nidentifier (refnum) 62154 and the key ssh. The subject \nname and alternative IP address are given, as well as key-usage flags. \nThe CA address is pki.ssh.com, the port 8080, and the CA name \nto access Test CA 1.\n\n

\n\n
\n
\n$ ssh-cmpclient INITIALIZE \\\n   -P generate://pkcs8@rsa:1024/initial -o initial \\\n   -p 62154:ssh \\\n   -s 'C=FI,O=SSH,CN=Example/initial;IP=1.2.3.4' \\\n   -u digitalsignature \\\n   http://pki.ssh.com:8080/pkix/ \\\n   'C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities'\n
\n\n\n

As a response the command presents the issued certificate to the \nuser, and the user accepts it by typing yes at the prompt.\n\n

\n\n
\n
\nCertificate =\n  SubjectName = <C=FI, O=SSH, CN=Example/initial>\n  IssuerName = <C=FI, O=SSH Communications Security Corp, \n    CN=SSH Test CA 1 No Liabilities>\n  SerialNumber= 8017690\n  SignatureAlgorithm = rsa-pkcs1-sha1\n  Validity = ...\n  PublicKeyInfo = ...\n  Extensions =\n      Viewing specific name types = IP = 1.2.3.4\n    KeyUsage = DigitalSignature\n    CRLDistributionPoints = ...\n    AuthorityKeyID =\n      KeyID = 3d:cb:be:20:64:49:16:1d:88:b7:98:67:93:f0:5d:42:81:2e:bd:0c\n    SubjectKeyID =\n      KeyId = 6c:f4:0e:ba:b9:ef:44:37:db:ad:1f:fc:46:e0:25:9f:c8:ce:cb:da\n  Fingerprints =\n    MD5 = b7:6d:5b:4d:e0:94:d1:1f:ec:ca:c2:ed:68:ac:bf:56\n    SHA-1 = 4f:de:73:db:ff:e8:7d:42:c4:7d:e1:79:1f:20:43:71:2f:81:ff:fa\n\nDo you accept the certificate above? yes\n
\n\n\n

\n\n

Key update

\n\n

Before the certificate expires, a new certificate with updated validity \nperiod should be enrolled. ssh-cmpclient supports key update, \nwhere new private key is generated and the key update request is \nauthenticated with the old (still valid) certificate. The old \ncertificate is also used as a template for issuing the new certificate, \nso the identity of the user will not be changed during the key update. \nWith the following command you can update the key pair, which was \nenrolled in the previous example. Presenting the result certificate has \nbeen left out.\n\n

\n\n
\n
\n$ ssh-cmpclient UPDATE \\\n   -k initial.prv -c initial-0.crt -P \\\n   generate://pkcs8@rsa:1024/updatedcert -o updatedcert \\\n   http://pki.ssh.com:8080/pkix/ \\\n   \"C=FI, O=SSH Communications Security Corp, CN=SSH Test CA 1 No Liabilities\"\n
\n\n\n

The new key pair can be found in the files with the updatedcert \nprefix. The policy of the issuing CA needs to also allow automatic key \nupdates if ssh-cmpclient is used in the UPDATE mode. \nThe pki.ssh.com test site, powered by SSH Tectia Certifier, is \nconfigured to allow automatic update of keys based on certificates \nissued earlier.\n\n

\n\n\n

\n\"Previous\"\n\"Next\"\n\"Up\"\n[Contents]\n[Index]\n

\n
\n[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]\n

\nCopyright © 2010 SSH Communications Security Corp.
\nThis software is protected by international copyright laws. All rights reserved.
\nCopyright Notice\n\n

\n\n\n\n 		\"\"
\n\n
\n\n\n\n
","head":"\nSSH: Examples\n\n\n","url":"/manuals/client-user/44/Examples.html"}}}