Configuring SSH Protect to issue SSH certificates

The initial configuration of SSH Protect to allow it to function as an SSH certificate authority (SSH CA) is typically done by a Venafi Platform system administrator. If you are wanting to use SSH certificates in your environment and these features aren't available to you, contact your system administrator, who will be able to configure the system to support this feature.

The Venafi Platform system administrator needs to do the following:

  • Enable the necessary components in Venafi Configuration Console (show me)

  • Create at least one new SSH certificate issuance template (show me)

  • Configure your Open SSH servers to trust your SSH CA (show me)

This topic will help you with the first step: enabling the necessary components to make SSH certificates available. The other necessary steps are detailed in subsequent topics.

To enable the necessary components in Venafi Configuration Console

  1. Connect to the Venafi Platform server using a remote desktop connection.

    TIP  You need to do this on only the Venafi server(s) that you intend to use for issuing SSH certificates. For example, if you have a dedicated log server or a dedicated discovery server, you do not need to enable the SSH certificate components on those servers.

  2. Launch the Venafi Configuration Console (VCC).

  3. Click the Product node in the left panel.

  4. [Optional] In the Group by drop-down, select Product.

  5. Review the following components to make sure they are enabled.

    • SSH Key Detection and Remediation

    • SSH Certificate Lifecycle and Monitoring

  6. If either component was not enabled, click on the disabled component, then in the Actions panel, click Enable.

What's next?

Now that you have at least one Venafi Platform server that can issue SSH certificates, you need to configure SSH Protect with one or more SSH certificate issuing templates.