Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-3200

361

362

363

364

365

366

367

368

369

370

370 | Certificate Revocation Dell Networking W-Series ArubaOS 6.4.x| User Guide

11.In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to

configure. The Revocation Checkpoint pane displays.

12.In the Revocation Check field, optionally select a check method from the Method 1 drop-down list.

Optionally, select a backup check method from the Method 2 drop-down list.

13.Select Enable next to Enable OCSP Responder.

14.Select OCSP signer cert from the OCSP Signer Cert drop-down menu.

15.In the CRL Location field, enter the CRL you want used for this revocation checkpoint. The CRLs listed are

files that have already been imported onto the controller.

16.Click Apply.

In the CLI

This example configures the controller as an OCSP responder. The OCSP responder service is enabled, the

revocation check point is CAroot, the OCSP signer cert is “oscap_CA1,” and the CRL file location is “Sec1-WIN-

05PRGNGEKAO-CA-unrevoked.crl.”

(host) (config) #crypto-local pki service-ocsp-responder

(host) (config) #crypto-local pki rcp CAroot

(host) (CAroot) #ocsp-signer-cert oscsp_CA1

(host) (CAroot) #crl-location file Sec1-WIN-05PRGNGEKAO-CA-unrevoked.crl

(host) (CAroot) #enable-ocsp-responder

Certificate Revocation Checking for SSH Pubkey Authentication

This feature allows the ssh-pubkey management user to be optionally configured with a Revocation

Checkpoint (RCP). This meets the requirement for a two-factor authentication and integration of device

management with PKI for SSH pubkey authentication. The ArubaOS implementation of SSH using Pubkey

authentication is designed for integration with smart cards or other technologies that use X.509 certificates.

The RCP checks the revocation status of the SSH user’s client certificate before permitting access. If the

revocation check fails, the user is denied access using the ssh-pubkey authentication method. However, the

user can still authenticate through a username and password if configured to do so.

For information about configuring a revocation checkpoint, see Certificate Revocation.

Configuring the SSH Pubkey User with RCP

You can configure the SSH pubkey user with RCP to check the validity of the user’s x.509 certificate.

In the WebUI

1. Navigate to Configuration > Management > Administration.

2. Under Management Users, click Add. The Add User page displays.

3. Select Certificate Management, then SSH Public Key.

4. When adding an ssh-pubkey user, when revocation check is enabled, perform either of the following tasks :

l To enable the RCP check, select a valid configured RCP from Revocation Checkpoint drop-down menu.

l Select None if you do not want the RCP check enabled for the ssh pubkey user.

In the CLI

The CLI allows you to configure an optional RCP for an ssh-pubkey user. Users can still be configured without

the RCP. In this example, the certificate name is

“client1-rg,”, the username is “test1,” the role name is “root,” and the rcp is “ca-rg:”

(host)(config) #mgmt-user ssh-pubkey client-cert client1-rg test1 root ?

rcp Revocation Checkpoint for ssh user's client certificate