A trusted certificate is one that is purchased from a trusted certificate authority (CA), such as www.verisign.com. Internet facing production applications should use a certificate from a trusted CA. For non-production applications, a self-signed certificate can be used. Applications, such as PuTTY, will complain when a self-signed certificate is used.
Three files will be created:
|Type of file||Default location|
|Certificate Authority (CA)||/root/.ssh/id_rsa.pem|
Public certificate and private key
Use the ssh-keygen -t rsa command to create an RSA public certificate and private key. Use -t dsa to create a DSA public certificate and private key.
When prompted where to save the file, press enter to use the default file name and directory, or type your preferred directory and file name.
[root@server1 ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/jeremy.canfield/.ssh/id_rsa):
It is more secure to enter a passphrase, but adds a layer of complexity when it comes to automation.
Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase):
The public certificate and private key are created.
Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: a6:4e:fd:17:67:69:19:b5:22:0a:16:53:cf:47:b3:b3 root@server1 The key's randomart image is: +--[ RSA 2048]----+ | .. o | | o o . o .| | o o + ..| | o ...+. | | . S . .E.+ | | + . . * | | o . = | | o . . | | . .. | +-----------------+
For assurance that the id_rsa file conains the private key, view the content of the id_rsa file. BEGIN RSA PRIVATE KEY should be displayed.
[root@server1 ~]# cat id_rsa -----BEGIN RSA PRIVATE KEY-----
For assurance that the id_rsa.pub file contains the public certificate, view the content of the id_rsa.pub file. ssh-rsa should be displayed.
[root@server1 ~]# cat id_rsa.pub ssh-rsa . . .
Certificate Authority (CA)
A certificate authority (CA) file is a file ending in .pem that contains the signed public certificate. The cat command and redirection can be used to create the CA file. Move the the /etc/pki/tls directory, and then create the certificate authority file.
[root@server1 ~]# cd /etc/pki/tls [root@server1 ~]# cat /etc/pki/tls/certs/example.crt > example.pem
For assurance that the example.pem file contains the public certificate, view the content of the example.pem file. BEGIN CERTIFICATE should be displayed.
[root@server1 ~]# cat example.pem ----------BEGIN CERTIFICATE-----
Openssl can be used to ensure the CA file contains the signature.
[root@server1 ~]# openssl x509 -in /etc/pki/tls/certs/example.pem -text | grep Issuer Issuer: C=US, ST=Florida, L=Miami, O=Acme Widgets, Inc., OU=Acme Widgets, Inc., CN=acme.com, Efirstname.lastname@example.org