Questo contenuto non è disponibile nella lingua selezionata.
14.3.6. Signing an SSH Certificate Using a PKCS#11 Token
				It is possible to sign a host key using a CA key stored in a PKCS#11 token by providing the token library using the 
 
Copy to Clipboard
Copied!
 
 
Toggle word wrap
Toggle overflow
 
 
 In all cases, certificate_ID is a “key identifier” that is logged by the server when the certificate is used for authentication.
			
-D and identifying the CA key by providing its public half as an argument to the -s option: ssh-keygen -s ca_host_key.pub -D libpkcs11.so -I certificate_ID host_key.pub
ssh-keygen -s ca_host_key.pub -D libpkcs11.so -I certificate_ID host_key.pub
				Certificates may be configured to be valid only for a set of users or host names, the principals. By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals, use a comma separated list with the 
-Z option as follows:
			ssh-keygen -s ca_user_key.pub -D libpkcs11.so -I certificate_ID -Z user1,user2 id_rsa.pub
ssh-keygen -s ca_user_key.pub -D libpkcs11.so -I certificate_ID -Z user1,user2 id_rsa.pub
				and for hosts: 
 
Copy to Clipboard
Copied!
 
 
Toggle word wrap
Toggle overflow
 
 
			
ssh-keygen -s ca_host_key.pub -D libpkcs11.so -I certificate_ID -h -Z host.domain ssh_host_rsa_key.pub
ssh-keygen -s ca_host_key.pub -D libpkcs11.so -I certificate_ID -h -Z host.domain ssh_host_rsa_key.pub
				Additional limitations on the validity and use of user certificates may be specified through certificate options. A certificate option may disable features of the SSH session, may be valid only when presented from particular source addresses or may force the use of a specific command. For a list of valid certificate options, see the 
ssh-keygen(1) manual page for the -O option.
			
				Certificates may be defined to be valid for a specific lifetime. The 
 
Copy to Clipboard
Copied!
 
 
Toggle word wrap
Toggle overflow
 
 
 A certificate that is presented at a time outside this range will not be considered valid. By default, certificates are valid indefinitely starting from UNIX Epoch.
			
-V option allows specifying a certificates start and end times. For example: ssh-keygen -s ca_user_key -I certificate_ID id_rsa.pub -V "-1w:+54w5d"
ssh-keygen -s ca_user_key -I certificate_ID id_rsa.pub -V "-1w:+54w5d"