How to use PKCS#11 and OpenSSH CA

The PKCS#11 protocol is a protocol that allows the use of RSA private keys or hardware token certificates (e.g. USB or smart cards).

Xshell supports PKCS#11 and allows you to connect to servers that requires public key authentication using the RSA private key from a USB hardware token.

For instructions on installing and configuring middleware for using PKCS#11 in Xshell, please refer to the following article.

 

SSH Connections with YubiKey PKCS#11 User Authentication(PIV)

 

In addition, if the remote server supports OpenSSH CA(Certificate Authentication), administrators can manage user keys more conveniently. Xshell supports OpenSSH CA, so you can connect to these types of servers using the CA function.

For more information about OpenSSH CA, please refer to the following article.

Using the OpenSSH CA (Certificate Authority) in Xshell

 

The following is a guide on how to use a CA public keys for RSA keys in hardware tokens.

(PKCS#11 + OpenSSH CA functionality is available in Xshell 7 Build 0093 or later)

Preparing to connect to a remote server via PKCS#11

First complete the steps in Using the OpenSSH CA (Certificate Authority) in Xshell to be able to connect to the remote server using PKCS#11.

OpenSSH CA configuration

Sign the public key of the hardware token RSA key by referring to the ‘User Key Signature’ section in Using the OpenSSH CA (Certificate Authority) in Xshell . This process may require the assistance of your CA server administrator.

Xshell configuration

  1. Open Xshell and Press Alt+N to create a new session.

  2. After naming the session, select PKCS11 under ‘Authentication’ and press ‘Setup’ to open the Setup PKCS11 dialog box.

     

    If you installed the middleware driver through the steps listed under ‘Preparing to connect to a remote server via PKCS#11’ above, you should see the relevant DLL file related to pkcs11 in the installation path.

     

  3. You can opt to save the token pin in the Setup PKCS11 dialog, but it is recommended to leave it blank to ensure that the access to the token is successful. The token pin can be entered later upon session execution.

  4. In the Setup PKCS11 dialog box, click the ‘Set SSH CA Key’ button to open the HW Token SSH CA Keys dialog box.

     

  5. Click the ‘Add’ button, and select the signed public key you imported from the ‘OpenSSH CA configuration’ step above.

  6. Click ‘OK’ in succession to save the session. Ensure that you’ve entered the necessary information for connection in the Properties of New Session dialog box.

  7. Execute the created session.

Verify success

  • If a dialog box appears asking for the hardware token pin password, the hardware token via PKCS#11 was configured successfully.

  • You’ll know that the CA authentication is working properly if the connection is successful even though the public key is not registered in the user's authorized_keys file of the remote server.