Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Using a certificate with SSH / SCP

When using a certificate for strong authentication with openSSH or WinSCP for example, you must extract the public key to put it in the file ~/.ssh/authorized_keys from the server.

The following commands are done using the OpenSSL and OpenSSH tools. On a Linux platform, these tools are generally pre-installed. On Windows, they must be installed manually. Here are the links for:

  1. Extract the certificate in PFX / P12 format
    Once you have retrieved your Sign & Login certificate, it is installed in the certificate store of your browser. You can extract it in PFX / P12 format. The method differs depending on the browser:


  2. Convert PFX / P12 file to PEM format
  3. With Openssl, type the following command
    # openssl pkcs12 -in mycertificate.p12 -out mycertificate.pem -nodes

  4. Extract the private key of your certificate in PFX/P12 format

  5. # openssl pkcs12 -in mycertificate.p12 -out mysshkey.pem -nodes -nocerts

  6. Extract the public key from the certificate in PEM format and add it to the file containing the private key

  7. # openssl x509 -in mycertificate.pem -pubkey -noout >> mysshkey.pem

  8. Use of ssh-keygen to create the fingerprint to copy on the access server in the file~/.ssh/authorizedkeys

  9. # ssh-keygen -i -m PKCS8 -f mysshkey.pem

    The line obtained must be copied to the server, in the file ~/.ssh/authorizedkeys

  10. Connection test
  11. Now you can test the connection to the server with strong authentication.
    # ssh -i mysshkey.pem user@SERVER_NAME

  12. Optional: addition of the mysshkey.pem file in the client configuration
  13. If desired, you can add the following lines to your SSH client configuration file. This is usually found at the place ~/.ssh/config
    Host SERVER_NAME
    IdentityFile path/to/mysshkey.pem
       

    Once this is done, you just have to type this to access the server:
    # ssh user@SERVER_NAME