Users Guide

Table Of Contents
370 | Certificate Revocation Dell Networking W-Series ArubaOS 6.4.x| User Guide
11.In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to
configure. The Revocation Checkpoint pane displays.
12.In the Revocation Check field, optionally select a check method from the Method 1 drop-down list.
Optionally, select a backup check method from the Method 2 drop-down list.
13.Select Enable next to Enable OCSP Responder.
14.Select OCSP signer cert from the OCSP Signer Cert drop-down menu.
15.In the CRL Location field, enter the CRL you want used for this revocation checkpoint. The CRLs listed are
files that have already been imported onto the controller.
16.Click Apply.
In the CLI
This example configures the controller as an OCSP responder. The OCSP responder service is enabled, the
revocation check point is CAroot, the OCSP signer cert is “oscap_CA1,” and the CRL file location is Sec1-WIN-
05PRGNGEKAO-CA-unrevoked.crl.”
(host) (config) #crypto-local pki service-ocsp-responder
(host) (config) #crypto-local pki rcp CAroot
(host) (CAroot) #ocsp-signer-cert oscsp_CA1
(host) (CAroot) #crl-location file Sec1-WIN-05PRGNGEKAO-CA-unrevoked.crl
(host) (CAroot) #enable-ocsp-responder
Certificate Revocation Checking for SSH Pubkey Authentication
This feature allows the ssh-pubkey management user to be optionally configured with a Revocation
Checkpoint (RCP). This meets the requirement for a two-factor authentication and integration of device
management with PKI for SSH pubkey authentication. The ArubaOS implementation of SSH using Pubkey
authentication is designed for integration with smart cards or other technologies that use X.509 certificates.
The RCP checks the revocation status of the SSH user’s client certificate before permitting access. If the
revocation check fails, the user is denied access using the ssh-pubkey authentication method. However, the
user can still authenticate through a username and password if configured to do so.
For information about configuring a revocation checkpoint, see Certificate Revocation.
Configuring the SSH Pubkey User with RCP
You can configure the SSH pubkey user with RCP to check the validity of the user’s x.509 certificate.
In the WebUI
1. Navigate to Configuration > Management > Administration.
2. Under Management Users, click Add. The Add User page displays.
3. Select Certificate Management, then SSH Public Key.
4. When adding an ssh-pubkey user, when revocation check is enabled, perform either of the following tasks :
l To enable the RCP check, select a valid configured RCP from Revocation Checkpoint drop-down menu.
l Select None if you do not want the RCP check enabled for the ssh pubkey user.
In the CLI
The CLI allows you to configure an optional RCP for an ssh-pubkey user. Users can still be configured without
the RCP. In this example, the certificate name is
client1-rg,”, the username is test1,” the role name is “root,” and the rcp is “ca-rg:
(host)(config) #mgmt-user ssh-pubkey client-cert client1-rg test1 root ?
rcp Revocation Checkpoint for ssh user's client certificate