Configuring Digital Certificates for User Authentication
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ssh server algorithm authentication {publickey | keyboard | password}
4. ip ssh server algorithm publickey {x509v3-ssh-rsa [ssh-rsa] | ssh-rsa [x509v3-ssh-rsa]}
5. ip ssh server certificate profile
6. user
7. trustpoint verify PKI-trustpoint-name
8. ocsp-response required
9. end
DETAILED STEPS
Command or Action
Step 1
enable
Example:
Switch> enable
Step 2
configure terminal
Example:
Switch# configure terminal
Step 3
ip ssh server algorithm authentication
{publickey | keyboard | password}
Example:
Switch(config)# ip ssh server algorithm
authentication publickey
Step 4
ip ssh server algorithm publickey
{x509v3-ssh-rsa [ssh-rsa] | ssh-rsa
[x509v3-ssh-rsa]}
Example:
Switch(config)# ip ssh server algorithm
publickey x509v3-ssh-rsa
Purpose
Enables privileged EXEC mode.
Enters global configuration mode.
Defines the order of user authentication algorithms. Only the
configured algorithm is negotiated with the Secure Shell (SSH) client.
Note
Defines the order of public key algorithms. Only the configured
algorithm is accepted by the SSH client for user authentication.
Note
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
How to Configure X.509v3 Certificates for SSH Authentication
• Enter your password if prompted.
• The IOS SSH server must have at least one configured
user authentication algorithm.
• To use the certificate method for user authentication,
the publickey keyword must be configured.
The IOS SSH client must have at least one configured public
key algorithm:
• x509v3-ssh-rsa—Certificate-based authentication
• ssh-rsa—Public-key-based authentication
1121