Request an SSH certificate for host authentication

Problem

To request an SSH host certificate, your call to POST SSHCertificates/Request. must use an issuance template that is configured for issuance of host certificates.

Solution

This example shows you how to request a certificate for a web server called web.prod.venafi.com with validity of 90 days.

Before you start

You need:

  • The location and name of the SSH CA Template. In Venafi, an object location and name is also known as the Distinguished Name (DN). To get the value from the Policy tree, switch to the Certificate Authority Templates folder. For example, the syntax you need for the CADN parameter is \\VED\Certificate Authority\\Templates\\template_host.

    Location of the Certificate Issuance Templates

  • The template is for host certificates and your request follows template requirements or restrictions. The certificate issuance template is configured to issue host certificates. For more information, see Working with issuance templates

Time Estimate

About 30 mins

To get an SSH certificate for host authentication

  1. Reuse or create a bear token that includes the scope ssh:manage.The bearer token grants access to Trust Protection Platform.

    To get a bearer token, see Getting a token. For each subsequent API call, be sure to include the token in the request header.
  2. Call POST SSHCertificates/Request. For example:

    POST https://tpp.venafi.example/vedsdk/SSHCertificates/Request
    Authorization:Bearer 4MyGeneratedBearerTknz==
    {
       "CADN":"\\VED\\Certificate Authority\\SSH\\Templates\\template_host",
       "KeyId":"MySSHCertificate",
       "Principals":[
          "web.prod.venafi.com"
       ],
       "ValidityPeriod":"90d"
    }
  3. (Optional) Use the DN from the response to check the SSH certificate status. Call POST SSHCertificates/Retrieve. For example:

    POST https://tpp.venafi.example/vedsdk/SSHCertificates/retrieve
    Authorization:Bearer 4MyGeneratedBearerTknz==
    {
       "DN": "\\VED\\Policy\\My Issued Certificates Folder\\MySSHCertificate",
       "IncludePrivateKeyData": true
    }
  4. In the response, you can get the certificate CertificateData and the private key PrivateKeyData. Save them to files. For example, ssh_host_rsa_key-cert.pub and ssh_host_rsa_key.

  5. Change the file permission of the private key so only root can read it.

  6. Configure the OpenSSH service to use the new certificate file, by adding the following lines to /etc/ssh/sshd_config.

    HostKey /etc/ssh/ssh_host_rsa_key
    HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
  7. Restart the OpenSSH service.