Provision Key and Certificate

You can provision a SSH key (user key, private key or key pair) and SSH certificate to target hosts with optional CyberArk vault integration for the private key for Linux managed hosts.

Prerequisites:
  • Linux hosts should be in managed state.
  • Ensure Vault integration is already done if optional vault integration is required. The Provisioning to CyberArk requires CyberArk credentials to be configured with Auth Type: Basic in the CyberArk API Settings. It will not work if the API settings are configured with Auth Type: Certificate.

To provision a key:

  1. Go to Menu > SSH > INVENTORY > Key Inventory > User Key Inventory.
  2. From User Key Inventory, select a key you want to provision.
  3. Click the Actions dropdown menu, and then select the Provision Key & Certificate option.
    Provision Key & Certificate page is displayed with fields displayed for Key & Certificate Configuration setup.
  4. In the Key & Certificate Configuration setup page:
    The Key Summary section contains fields that are pre-populated with the values which are non-editable:
    • Key Type
    • Associated Users
    • Fingerprint
    • Encryption
    • Key Group
    The Certificate Provisioning section, contains a toggle button for Provision Certificate. Enabling the toggle button displays the SSH certificate signing parameter fields:
    Note: The Certificate Provisioning section is disabled by default, to enable this section:
    1. Go to Menu > SSH > ADMINISTRATION > Advanced Settings.
    2. Under Provisioning tab, enable the toggle Enable User CA Trust and Certificate.
    3. In the pop-up displayed, select the checkbox to confirm the setting and click Proceed.
    4. Click Update. The provisioning settings are saved successfully.
    Table 1. Certficate Configuration - Field and Description Table
    Field Description
    Cert Key Id (Mandatory) The Key ID / comment embedded in the signed certificate.
    Principals (Mandatory) The OS usernames or roles the certificate grants access for. Example: user or domain\user

    The system auto-populates this field based on the Associated Users. You can modify the values or add one or more new values alongside the pre-populated entries.
    Extensions (Mandatory) The SSH certificate extensions to include. It must be a subset of the group policy allowed list. Permitted values are:
    • permit-agent-forwarding
    • permit-port-forwarding
    • permit-pty
    • permit-user-rc
    • permit-X11-forwarding
    Valid From , Valid To (Mandatory) The certificate validity start and end values. Valid from cannot be less than current date time and Valid to cannot exceed the Max Validity defined in the Key policy of the specific key.
    Source IP Restricts where the SSH certificate can be used from. Specify one or more IP addresses or CIDR ranges (comma-separated).

    If omitted: No IP restriction is applied; the certificate can be used from any source.
    Force Command Restricts what command(s) the user can execute when authenticating with the certificate. Specify one or more commands (comma-separated).

    If omitted: No command restriction is applied; the user can execute any permitted command based on their account privileges.
  5. Click Next.
    The Destination Configuration setup page is displayed.
  6. In the Destination Configuration page, enter the fields as follows:
    Table 2. Destination Configuration - Field and Description Table
    Fields Description
    Infra Access Group Select a user group from the dropdown. This field binds access at the group level and restricts users to only the hosts associated with the selected group.
    Client Configuration

    Click Add Host to enter details below, and then click the Add button on the pop-up to list them in the Client Configuration details.
    Hostname Specify the client machine’s hostname or IP address.
    Username Enter the username used to access the client machine.
    Key Path Provide the file path where the user’s private key is stored on the client machine.
    Cert Path Provide the file path where the SSH certificate will be stored or accessed on the client machine.
    Server Configuration

    Click Add Host to enter details below, and then click the Add button on the pop-up to list them in the Server Configuration details.
    Hostname Specify the target server’s hostname or IP address.
    Username Enter the username used to access the server.
    Principals Define the allowed identities (usernames) embedded in the SSH certificate for authentication.
    Authorised Principals Specify the list or file of principals that the server trusts for certificate-based authentication. This field is not editable.
  7. Click Next.
  8. (Optional) Configure Vault Configuration as follows:
    • Only needed if you are using CyberArk or another PAM for secure credential storage.
    • If vault configuration is not required, click the Skip button.
    • Enter/select Vault details.
      Table 3. Vault Configuration - Field and Description Table
      Field Description
      Vault Vendor Select the supported PAM solution. For example: CyberArk.
      Vault Config Choose a pre-configured vault integration.
      Safe Name Enter CyberArk Safe where credentials are stored.
      User Name Username for the target system.
      PAM Account Name CyberArk-managed account used to connect to the target host.
      Server Address Enter the IP address or FQDN of the vault or target system.
    • Click Next.
  9. Under Review & Confirm, review all the configuration details and then click Confirm.