X.509v3 Certificates for SSH Authentication
The X.509v3 Certificates for secure shell (SSH) Authentication feature uses the X.509v3 digital certificates in server and user authentication at the SSH server side.
Prerequisites for Digital Certificates for SSH Authentication
The Digital Certificates for SSH Authentication feature introduces the ip ssh server algorithm authentication command to replace the ip ssh server authenticate user command. If you use the ip ssh server authenticate user command, the following deprecation message is displayed.
Warning: SSH command accepted but this CLI will be deprecated soon. Please move to new CLI “ip ssh server algorithm authentication”. Please configure “default ip ssh server authenticate user” to make CLI ineffective.
Use the default ip ssh server authenticate user command to remove the ip ssh server authenticate user command from effect. The IOS secure shell (SSH) server then starts using the ip ssh server algorithm authentication command.
Restrictions for X.509v3 Certificates for SSH Authentication
The following restrictions are applicable for X.509v3 Certificate for SSH Authentication:
-
The X.509v3 Certificates for SSH Authentication feature implementation is applicable only on the IOS secure shell (SSH) server side.
-
IOS SSH server supports only the x509v3-ssh-rsa algorithm based certificate for server and user authentication on the IOS SSH server side.
The X.509v3 Certificate for SSH Authentication fails in the following conditions:
-
When root certification authority is configured as a trustpoint on the device.
-
When a client passes a certificate chain that leads to a self-signed root certificate authority that includes a client certificate, sub-ca certificate, and self-signed root certificate authority.
-
When a sub-ca certification is configured as a trustpoint on the device but not included as a trustpoint on the user certificate.