Configuring SSH with x509 authentication on IOS devices

Available Languages

Download Options

  • PDF     (203.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (257.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (225.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:November 22, 2017
Document ID:212178

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure SSH server with use of x509v3 certificates on IOS devices in accordance with standard RFC6187.
    The Secure Shell Protocol (SSH) provides mutual authentication, i.e. both client and server are authenticated. Traditionally, the server uses the RSA private and public keypair for authentication. The SSH client computes the checksum of public key and asks the administrator if it is trusted. The administrator should export the public key from router with use of out-of-band method and compare the values. In practice, this is a cumbersome method and often the public key is accepted without verification, which leads to potential risk of man-in-the-middle attacks.
    RFC6187 standard is a solution to this concern as it provides similar level of security and user experience to the TLS (Transport Layer Security) protocol commonly used to protect web-based transmissions.

    Prerequisites

      

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • PKI infrastructure

    Components Used

    The information in this document is based on these software and hardware versions:

    • CSR 1000v router running IOS-XE version 16.6.1
    • Pragma Fortress SSH client
    • Windows Server 2016 OCSP server
    • Identity Services Engine version 2.1

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    Network Diagram

    Deployment considerations

    • An RFC6187-compatible SSH client is necessary to take advantage of the feature.

    • The feature has been implemented in IOS version 15.5(2)T and IOS-XE version 15.5(2)S.

    • The SSH client and server negotiates supported authentication mechanisms. All of the authenitcation mechanisms previously supported on the device may continue to run concurrently with x509-based authentication mechanisms in order to ensure smooth transition.

    • Administrator may choose to use x509-based authentication method for server only, client only or both. 

    • The IOS server can verify if the certificate presented by the client is not revoked. In order to do that, the database of revoked certificates is consulted upon each connection. This allows for revocation of access without the need to reconfigure other devices, in case, if the private key of the certificate is compromised or if access for a specific user needs to be revoked.

    • Revocation check is optional, but it is highly recommended to have the possibility to deny access based on compromised credentials. Another option is to to perform authorization for the username fetched from certificate on the external Terminal Access Controller Access-Control System (TACACS)  or RADIUS server. In case the certificate is compromised, the account can be disabled on the external server to prevent access with use of that certificate.

    • The authorization of users can be performed by external server or it can be skipped (all users with a valid certificate assumed to have privileges to access device). The former method is used in this example for simplicity.

    • In order to successfully verify the authentication data of the other party, the client and server only need to trust a common Certificate Authority (CA). This means that only the certificate of CA that signed the router certificate needs to be installed on the client device trusted certificate store.

    • The certificate provides information about identity of the other party (Common Name and Subject Alternative Name are typically used for that purpose). The client should compare the hostname or IP address name of the server that was provided as input by the administrator with the identity data available in the presented certificate. It severely limits the opportnities of man-in-the-middle or other impersonation attacks.

    Configurations

    Configure AAA parameters. In a basic scenario (without external authorization server), the authorization for the username fetched from certificate can be skipped.

    aaa new-model
    aaa authorization network CERT none

     Configure a trustpoint that holds the CA certificate and optionally the router certificate. 

    crypto pki trustpoint SSH
     enrollment mode ra
     enrollment url http://10.1.1.2:80/CertSrv/mscep/mscep.dll
     serial-number
     ip-address 10.0.0.1
     subject-name cn=10.0.0.1
     revocation-check ocsp
     ocsp url http://10.1.1.2/ocsp
     rsakeypair SSH 2048
     authorization list CERT
     ! The username has to be fetched from the certificate for accounting and authorization purposes. Multiple options are available.
     authorization username subjectname commonname

    Tip: In case OCSP server is unreachable, the administrator may choose to disallow all access by using revocation-check ocsp configuration or allow access without revocation check using revocation-check ocsp none (not recommended).

    Configure allowed authentication mechanisms used during SSH tunnel negotiation.

    ! Alorithms used to authenticate server
    ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa

    ! Acceptable algorithms used to authenticate the client
    ip ssh server algorithm authentication publickey password keyboard

    ! Acceptable pubkey-based algorithms used to authenticate the client
    ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa

    Configure the SSH server to use correct certificates in the authentication process.

    ip ssh server certificate profile
       ! Certificate used by server    
       server
          trustpoint sign SSH

       ! CA used to authenticate client certificates
       user
          trustpoint verify SSH

    (Optional) Integration with TACACS Server 

    After the username is fetched from the certificate, the IOS can perform authorization for that username aginst TACACS server. This is especially useful if the TACACS server is already deployed for device administration. 

    Note: The IOS SSH server currently does not support authentication method chaining. This means that if the certificates are used to authenticate the user, the TACACS server cannot be used for password authentication. It can only be used for authorization.

    Configure TACACS server.

    tacacs server ISE
     address ipv4 10.1.1.3
     key cisco123

    Configure the authorization list to use the TACACS server.

    aaa authorization network ISE group tacacs+

    1. Configure ISE (Identity Services Engine). Configuration example can be found at: 

    https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

    2. Configure TACACS profile. Additional parameter cert-application=all needs to be configured in order for the authorization to succeed, navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS profiles > Add.

    3. In order to configure policy set, navigate to Work Centers > Device Administration > Device Admin Policy Sets > Add.

    Verify

    show ip ssh 
    SSH Enabled - version 1.99
    Authentication methods:publickey,password,keyboard-interactive
    Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
    Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
    --- output truncated ----

    show users 
     Line User Host(s) Idle Location
     1 vty 0 admin1 idle 00:02:37 192.168.1.100

    Troubleshoot

    These debugs are used to track successful session:

    debug ip ssh detail
    debug crypto pki transactions
    debug crypto pki messages
    debug crypto pki validation

    Aug 21 20:07:08.717: SSH0: starting SSH control process
    ! Server identifies itself
    Aug 21 20:07:08.717: SSH0: sent protocol version id SSH-1.99-Cisco-1.25
    ! Client identifies itself
    Aug 21 20:07:08.771: SSH0: protocol version id is - SSH-2.0-Pragma FortressCL 5.0.10.766
    Aug 21 20:07:08.771: SSH2 0: kexinit sent: kex algo = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

    ! Authentication algorithms supported by server
    Aug 21 20:07:08.771: SSH2 0: kexinit sent: hostkey algo = x509v3-ssh-rsa,ssh-rsa
    Aug 21 20:07:08.772: SSH2 0: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr
    Aug 21 20:07:08.772: SSH2 0: kexinit sent: mac algo = hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
    Aug 21 20:07:08.772: SSH2 0: SSH2_MSG_KEXINIT sent
    Aug 21 20:07:08.915: SSH2 0: SSH2_MSG_KEXINIT received
    Aug 21 20:07:08.916: SSH2 0: kex: client->server enc:aes256-ctr mac:hmac-sha1 
    Aug 21 20:07:08.916: SSH2 0: kex: server->client enc:aes256-ctr mac:hmac-sha1 

    ! Client chooses authentication algorithm
    Aug 21 20:07:08.916: SSH2 0: Using hostkey algo = x509v3-ssh-rsa
    Aug 21 20:07:08.916: SSH2 0: Using kex_algo = diffie-hellman-group-exchange-sha1
    Aug 21 20:07:08.917: SSH2 0: Modulus size established : 4096 bits
    Aug 21 20:07:08.976: SSH2 0: expecting SSH2_MSG_KEX_DH_GEX_INIT
    Aug 21 20:07:09.141: SSH2 0: SSH2_MSG_KEXDH_INIT received

    ! Server sends certificate associated with trustpoint "SSH"
    Aug 21 20:07:09.208: SSH2 0: Sending Server certificate associated with PKI trustpoint "SSH"
    Aug 21 20:07:09.208: CRYPTO_PKI: (A003C) Session started - identity selected (SSH)
    Aug 21 20:07:09.208: SSH2 0: Got 2 certificate(s) on certificate chain
    Aug 21 20:07:09.208: CRYPTO_PKI: Rcvd request to end PKI session A003C.
    Aug 21 20:07:09.208: CRYPTO_PKI: PKI session A003C has ended. Freeing all resources.
    Aug 21 20:07:09.209: CRYPTO_PKI: unlocked trustpoint SSH, refcount is 0
    Aug 21 20:07:09.276: SSH2: kex_derive_keys complete
    Aug 21 20:07:09.276: SSH2 0: SSH2_MSG_NEWKEYS sent
    Aug 21 20:07:09.276: SSH2 0: waiting for SSH2_MSG_NEWKEYS
    Aug 21 20:07:16.927: SSH2 0: SSH2_MSG_NEWKEYS received
    Aug 21 20:07:17.177: SSH2 0: Authentications that can continue = publickey,password,keyboard-interactive
    Aug 21 20:07:17.225: SSH2 0: Using method = none
    Aug 21 20:07:17.226: SSH2 0: Authentications that can continue = publickey,password,keyboard-interactive
    Aug 21 20:07:32.305: SSH2 0: Using method = publickey

    ! Client sends certificate
    Aug 21 20:07:32.305: SSH2 0: Received publickey algo = x509v3-ssh-rsa
    Aug 21 20:07:32.305: SSH2 0: Verifying certificate for user 'admin1' in SSH2_MSG_USERAUTH_REQUEST
    Aug 21 20:07:32.305: SSH2 0: Verifying certificate for user 'admin1'
    Aug 21 20:07:32.306: SSH2 0: Received a chain of 2 certificate
    Aug 21 20:07:32.308: SSH2 0: Received 0 ocsp-response
    Aug 21 20:07:32.308: SSH2 0: Starting PKI session for certificate verification
    Aug 21 20:07:32.308: CRYPTO_PKI: (A003D) Session started - identity not specified
    Aug 21 20:07:32.309: CRYPTO_PKI: (A003D) Adding peer certificate
    Aug 21 20:07:32.310: CRYPTO_PKI: found UPN as admin1@example.com 
    Aug 21 20:07:32.310: CRYPTO_PKI: Added x509 peer certificate - (1016) bytes
    Aug 21 20:07:32.310: CRYPTO_PKI: (A003D) Adding peer certificate
    Aug 21 20:07:32.310: CRYPTO_PKI: Added x509 peer certificate - (879) bytes
    Aug 21 20:07:32.311: CRYPTO_PKI: ip-ext-val: IP extension validation not required
    Aug 21 20:07:32.311: CRYPTO_PKI: create new ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 31
    Aug 21 20:07:32.312: CRYPTO_PKI: (A003D)validation path has 1 certs

    Aug 21 20:07:32.312: CRYPTO_PKI: (A003D) Check for identical certs
    Aug 21 20:07:32.312: CRYPTO_PKI : (A003D) Validating non-trusted cert
    Aug 21 20:07:32.312: CRYPTO_PKI: (A003D) Create a list of suitable trustpoints
    Aug 21 20:07:32.312: CRYPTO_PKI: Found a issuer match
    Aug 21 20:07:32.312: CRYPTO_PKI: (A003D) Suitable trustpoints are: SSH,
    Aug 21 20:07:32.313: CRYPTO_PKI: (A003D) Attempting to validate certificate using SSH policy
    Aug 21 20:07:32.313: CRYPTO_PKI: (A003D) Using SSH to validate certificate
    Aug 21 20:07:32.313: CRYPTO_PKI: Added 1 certs to trusted chain.
    Aug 21 20:07:32.314: CRYPTO_PKI: Prepare session revocation service providers
    Aug 21 20:07:32.314: CRYPTO_PKI: Deleting cached key having key id 30
    Aug 21 20:07:32.314: CRYPTO_PKI: Attempting to insert the peer's public key into cache
    Aug 21 20:07:32.314: CRYPTO_PKI:Peer's public inserted successfully with key id 31
    Aug 21 20:07:32.315: CRYPTO_PKI: Expiring peer's cached key with key id 31
    Aug 21 20:07:32.315: CRYPTO_PKI: (A003D) Certificate is verified

    ! Revocation status is checked
    Aug 21 20:07:32.315: CRYPTO_PKI: (A003D) Checking certificate revocation
    Aug 21 20:07:32.315: OCSP: (A003D) Process OCSP_VALIDATE message
    Aug 21 20:07:32.315: CRYPTO_PKI: (A003D)Starting OCSP revocation check
    Aug 21 20:07:32.316: CRYPTO_PKI: OCSP server URL is http://10.1.1.2/ocsp
    Aug 21 20:07:32.316: CRYPTO_PKI: no responder matching this URL; create one!
    Aug 21 20:07:32.316: OCSP: (A003D)OCSP Get Response command
    Aug 21 20:07:32.317: CRYPTO_PKI: http connection opened
    Aug 21 20:07:32.317: CRYPTO_PKI: OCSP send header size 132
    Aug 21 20:07:32.317: CRYPTO_PKI: sending POST /ocsp HTTP/1.0
    Host: 10.1.1.2
    User-Agent: RSA-Cert-C/2.0
    Content-type: application/ocsp-request
    Content-length: 312


    Aug 21 20:07:32.317: CRYPTO_PKI: OCSP send data size 312
    Aug 21 20:07:32.322: OCSP: (A003D)OCSP Parse HTTP Response command
    Aug 21 20:07:32.322: OCSP: (A003D)OCSP Validate DER Response command
    Aug 21 20:07:32.322: CRYPTO_PKI: OCSP response status - successful.
    Aug 21 20:07:32.323: CRYPTO_PKI: Decoding OCSP Response
    Aug 21 20:07:32.323: CRYPTO_PKI: OCSP decoded status is GOOD.
    Aug 21 20:07:32.323: CRYPTO_PKI: Verifying OCSP Response
    Aug 21 20:07:32.325: CRYPTO_PKI: Added 11 certs to trusted chain.
    Aug 21 20:07:32.325: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsputil.c(547) : E_NOT_FOUND : no matching entry found
    Aug 21 20:07:32.325: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsputil.c(547) : E_NOT_FOUND : no matching entry found
    Aug 21 20:07:32.326: CRYPTO_PKI: (A003D) Validating OCSP responder certificate
    Aug 21 20:07:32.327: CRYPTO_PKI: OCSP Responder cert doesn't need rev check
    Aug 21 20:07:32.328: CRYPTO_PKI: response signed by a delegated responder
    Aug 21 20:07:32.328: CRYPTO_PKI: OCSP Response is verified
    Aug 21 20:07:32.328: CRYPTO_PKI: (A003D) OCSP revocation check is complete 0
    Aug 21 20:07:32.328: OCSP: destroying OCSP trans element
    Aug 21 20:07:32.328: CRYPTO_PKI: Revocation check is complete, 0
    Aug 21 20:07:32.328: CRYPTO_PKI: Revocation status = 0
    Aug 21 20:07:32.328: CRYPTO_PKI: Remove session revocation service providers
    Aug 21 20:07:32.329: CRYPTO_PKI: Remove session revocation service providers
    Aug 21 20:07:32.329: CRYPTO_PKI: (A003D) Certificate validated
    Aug 21 20:07:32.329: CRYPTO_PKI: Populate AAA auth data
    Aug 21 20:07:32.329: CRYPTO_PKI: Selected AAA username: 'admin1'
    Aug 21 20:07:32.329: CRYPTO_PKI: Anticipate checking AAA list: 'CERT'
    Aug 21 20:07:32.329: CRYPTO_PKI: Checking AAA authorization
    Aug 21 20:07:32.329: CRYPTO_PKI_AAA: checking AAA authorization (CERT, admin1, <all>)
    Aug 21 20:07:32.329: CRYPTO_PKI_AAA: pre-authorization chain validation status (0x400)
    Aug 21 20:07:32.329: CRYPTO_PKI_AAA: post-authorization chain validation status (0x400)
    Aug 21 20:07:32.329: CRYPTO_PKI: (A003D)chain cert was anchored to trustpoint SSH, and chain validation result was: CRYPTO_VALID_CERT
    Aug 21 20:07:32.329: CRYPTO_PKI: destroying ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 31, ref count 1
    Aug 21 20:07:32.330: CRYPTO_PKI: ca_req_context released
    Aug 21 20:07:32.330: CRYPTO_PKI: (A003D) Validation TP is SSH
    Aug 21 20:07:32.330: CRYPTO_PKI: (A003D) Certificate validation succeeded
    Aug 21 20:07:32.330: CRYPTO_PKI: Rcvd request to end PKI session A003D.
    Aug 21 20:07:32.330: CRYPTO_PKI: PKI session A003D has ended. Freeing all resources.
    Aug 21 20:07:32.395: SSH2 0: Verifying certificate for user 'admin1'
    Aug 21 20:07:32.395: SSH2 0: Received a chain of 2 certificate
    Aug 21 20:07:32.396: SSH2 0: Received 0 ocsp-response
    Aug 21 20:07:32.396: SSH2 0: Starting PKI session for certificate verification
    Aug 21 20:07:32.396: CRYPTO_PKI: (A003E) Session started - identity not specified
    Aug 21 20:07:32.396: CRYPTO_PKI: (A003E) Adding peer certificate
    Aug 21 20:07:32.397: CRYPTO_PKI: found UPN as admin1@example.com 
    Aug 21 20:07:32.397: CRYPTO_PKI: Added x509 peer certificate - (1016) bytes
    Aug 21 20:07:32.397: CRYPTO_PKI: (A003E) Adding peer certificate
    Aug 21 20:07:32.398: CRYPTO_PKI: Added x509 peer certificate - (879) bytes
    Aug 21 20:07:32.398: CRYPTO_PKI: ip-ext-val: IP extension validation not required
    Aug 21 20:07:32.400: CRYPTO_PKI: create new ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 32
    Aug 21 20:07:32.400: CRYPTO_PKI: (A003E)validation path has 1 certs

    Aug 21 20:07:32.400: CRYPTO_PKI: (A003E) Check for identical certs
    Aug 21 20:07:32.400: CRYPTO_PKI : (A003E) Validating non-trusted cert
    Aug 21 20:07:32.401: CRYPTO_PKI: (A003E) Create a list of suitable trustpoints
    Aug 21 20:07:32.401: CRYPTO_PKI: Found a issuer match
    Aug 21 20:07:32.401: CRYPTO_PKI: (A003E) Suitable trustpoints are: SSH,
    Aug 21 20:07:32.401: CRYPTO_PKI: (A003E) Attempting to validate certificate using SSH policy
    Aug 21 20:07:32.401: CRYPTO_PKI: (A003E) Using SSH to validate certificate
    Aug 21 20:07:32.402: CRYPTO_PKI: Added 1 certs to trusted chain.
    Aug 21 20:07:32.402: CRYPTO_PKI: Prepare session revocation service providers
    Aug 21 20:07:32.402: CRYPTO_PKI: Deleting cached key having key id 31
    Aug 21 20:07:32.403: CRYPTO_PKI: Attempting to insert the peer's public key into cache
    Aug 21 20:07:32.403: CRYPTO_PKI:Peer's public inserted successfully with key id 32
    Aug 21 20:07:32.404: CRYPTO_PKI: Expiring peer's cached key with key id 32
    Aug 21 20:07:32.404: CRYPTO_PKI: (A003E) Certificate is verified
    Aug 21 20:07:32.404: CRYPTO_PKI: (A003E) Checking certificate revocation
    Aug 21 20:07:32.404: OCSP: (A003E) Process OCSP_VALIDATE message
    Aug 21 20:07:32.404: CRYPTO_PKI: (A003E)Starting OCSP revocation check
    Aug 21 20:07:32.405: CRYPTO_PKI: OCSP server URL is http://10.1.1.2/ocsp
    Aug 21 20:07:32.405: CRYPTO_PKI: no responder matching this URL; create one!
    Aug 21 20:07:32.405: OCSP: (A003E)OCSP Get Response command
    Aug 21 20:07:32.406: CRYPTO_PKI: http connection opened
    Aug 21 20:07:32.406: CRYPTO_PKI: OCSP send header size 132
    Aug 21 20:07:32.406: CRYPTO_PKI: sending POST /ocsp HTTP/1.0
    Host: 10.1.1.2
    User-Agent: RSA-Cert-C/2.0
    Content-type: application/ocsp-request
    Content-length: 312


    Aug 21 20:07:32.406: CRYPTO_PKI: OCSP send data size 312
    Aug 21 20:07:32.409: OCSP: (A003E)OCSP Parse HTTP Response command
    Aug 21 20:07:32.410: OCSP: (A003E)OCSP Validate DER Response command
    Aug 21 20:07:32.410: CRYPTO_PKI: OCSP response status - successful.
    Aug 21 20:07:32.410: CRYPTO_PKI: Decoding OCSP Response
    Aug 21 20:07:32.411: CRYPTO_PKI: OCSP decoded status is GOOD.
    Aug 21 20:07:32.411: CRYPTO_PKI: Verifying OCSP Response
    Aug 21 20:07:32.413: CRYPTO_PKI: Added 11 certs to trusted chain.
    Aug 21 20:07:32.413: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsputil.c(547) : E_NOT_FOUND : no matching entry found
    Aug 21 20:07:32.413: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsputil.c(547) : E_NOT_FOUND : no matching entry found
    Aug 21 20:07:32.414: CRYPTO_PKI: (A003E) Validating OCSP responder certificate
    Aug 21 20:07:32.415: CRYPTO_PKI: OCSP Responder cert doesn't need rev check
    Aug 21 20:07:32.415: CRYPTO_PKI: response signed by a delegated responder
    Aug 21 20:07:32.416: CRYPTO_PKI: OCSP Response is verified
    Aug 21 20:07:32.416: CRYPTO_PKI: (A003E) OCSP revocation check is complete 0
    Aug 21 20:07:32.416: OCSP: destroying OCSP trans element
    Aug 21 20:07:32.416: CRYPTO_PKI: Revocation check is complete, 0
    Aug 21 20:07:32.416: CRYPTO_PKI: Revocation status = 0
    Aug 21 20:07:32.416: CRYPTO_PKI: Remove session revocation service providers
    Aug 21 20:07:32.416: CRYPTO_PKI: Remove session revocation service providers
    Aug 21 20:07:32.416: CRYPTO_PKI: (A003E) Certificate validated
    Aug 21 20:07:32.417: CRYPTO_PKI: Populate AAA auth data
    Aug 21 20:07:32.417: CRYPTO_PKI: Selected AAA username: 'admin1'
    Aug 21 20:07:32.417: CRYPTO_PKI: Anticipate checking AAA list: 'CERT'
    Aug 21 20:07:32.417: CRYPTO_PKI: Checking AAA authorization
    Aug 21 20:07:32.417: CRYPTO_PKI_AAA: checking AAA authorization (CERT, admin1, <all>)
    Aug 21 20:07:32.417: CRYPTO_PKI_AAA: pre-authorization chain validation status (0x400)
    Aug 21 20:07:32.417: CRYPTO_PKI_AAA: post-authorization chain validation status (0x400)
    Aug 21 20:07:32.417: CRYPTO_PKI: (A003E)chain cert was anchored to trustpoint SSH, and chain validation result was: CRYPTO_VALID_CERT
    Aug 21 20:07:32.417: CRYPTO_PKI: destroying ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 32, ref count 1
    Aug 21 20:07:32.417: CRYPTO_PKI: ca_req_context released
    Aug 21 20:07:32.417: CRYPTO_PKI: (A003E) Validation TP is SSH
    Aug 21 20:07:32.417: CRYPTO_PKI: (A003E) Certificate validation succeeded
    Aug 21 20:07:32.418: CRYPTO_PKI: Rcvd request to end PKI session A003E.
    Aug 21 20:07:32.418: CRYPTO_PKI: PKI session A003E has ended. Freeing all resources.
    Aug 21 20:07:32.418: SSH2 0: Verifying signature for user 'admin1' in SSH2_MSG_USERAUTH_REQUEST
    Aug 21 20:07:32.418: SSH2 0: Received a chain of 2 certificate
    Aug 21 20:07:32.418: SSH2 0: Received 0 ocsp-response
    Aug 21 20:07:32.418: CRYPTO_PKI: found UPN as admin1@example.com 

    ! Certificate status verified successfully
    Aug 21 20:07:32.419: SSH2 0: Client Signature verification PASSED
    Aug 21 20:07:32.419: SSH2 0: Certificate authentication passed for user 'admin1'
    Aug 21 20:07:32.419: SSH2 0: authentication successful for admin1
    Aug 21 20:07:32.470: SSH2 0: channel open request
    Aug 21 20:07:32.521: SSH2 0: pty-req request
    Aug 21 20:07:32.521: SSH2 0: setting TTY - requested: height 25, width 80; set: height 25, width 80
    Aug 21 20:07:32.570: SSH2 0: shell request
    Aug 21 20:07:32.570: SSH2 0: shell message received
    Aug 21 20:07:32.570: SSH2 0: starting shell for vty
    Aug 21 20:07:32.631: SSH2 0: channel window adjust message received 8

    In case certificate for admin1 has been revoked:

    Aug 21 19:39:52.081: CRYPTO_PKI: OCSP Response is verified
    Aug 21 19:39:52.081: CRYPTO_PKI: (A0024) OCSP revocation check is complete 0
    Aug 21 19:39:52.082: OCSP: destroying OCSP trans element
    Aug 21 19:39:52.082: CRYPTO_PKI: Revocation check is complete, 0
    Aug 21 19:39:52.082: CRYPTO_PKI: Revocation status = 1
    Aug 21 19:39:52.082: CRYPTO_PKI: Remove session revocation service providers
    Aug 21 19:39:52.082: CRYPTO_PKI: Remove session revocation service providers
    Aug 21 19:39:52.082: CRYPTO_PKI: (A0024) Certificate revoked
    Aug 21 19:39:52.082: %PKI-3-CERTIFICATE_REVOKED: Certificate chain validation has failed. The certificate (SN: 750000001B78DA4CC0078DEC0700000000001B) is revoked
    Aug 21 19:39:52.082: CRYPTO_PKI: (A0024)chain cert was anchored to trustpoint Unknown, and chain validation result was: CRYPTO_CERT_REVOKED
    Aug 21 19:39:52.082: CRYPTO_PKI: destroying ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 18, ref count 1
    Aug 21 19:39:52.082: CRYPTO_PKI: ca_req_context released
    Aug 21 19:39:52.083: CRYPTO_PKI: (A0024) Certificate validation failed

    Related information

    TAC Authored

    Contributed by Cisco Engineers

    • Jan Krupa
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products