Understanding SSH Certificates
SSH certificates enhance standard public key authentication by allowing a trusted Certificate Authority (CA) to sign public keys, streamlining key management and improving security.
How SSH Certificates Work
- A CA Signs a Public Key -
- Instead of manually distributing public keys to each SSH server, a Certificate Authority (CA) signs a user's or host's public key, turning it into an SSH certificate.
- The SSH Server Trusts the CA -
- The SSH server is configured to trust the CA’s public key, allowing it to authenticate any user or host with a valid certificate signed by that CA.
- Authentication Process -
- The client presents its signed certificate instead of a raw public key.
- The SSH server verifies the certificate against the CA's trusted key.
- If valid, authentication proceeds without needing individual public key entries in "~/.ssh/authorized_keys".
Advantages of SSH Certificates
- Simplified Key Management: No need to distribute individual public keys; just configure servers to trust the CA.
- Expiration & Revocation: Certificates can have expiration dates and be revoked, reducing security risks from compromised keys.
- User and Host Identification: Certificates can embed additional metadata like usernames and allowed principals.
Generating & Using SSH Certificates
- Generate a CA Key (if not already created)
ssh-keygen -t rsa -b 4096 -f ca_key
- Sign a User's Public Key
ssh-keygen -s ca_key -I user123 -n user -V +52w user_key.pub
- "-s ca_key" → Uses "ca_key" to sign.
- "-I user123" → Sets a unique key identifier.
- "-n user" → Restricts the certificate to a specific username.
- "-V +52w" → Sets certificate validity to 52 weeks.
With this setup, users only need their signed key to authenticate without manually distributing their public key to each server.
How the SSH Server Verifies the Certificate
- The server is configured to trust the CA by adding the CA's public key to "/etc/ssh/trusted-user-ca-keys.pub":
echo "ssh-rsa AAAAB3... your-ca-key" >> /etc/ssh/trusted-user-ca-keys.pub
- The server enables certificate authentication in "/etc/ssh/sshd_config":
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pub
- When a client connects:
- The SSH server extracts the public key and signature from the certificate.
- It verifies the signature using the trusted CA’s public key.
- If valid, access is granted without needing an entry in "authorized_keys".
Example of an SSH Certificate (Text Format)
The SSH certificate ("user_key-cert.pub") is a text file, just like a regular SSH public key. It follows the same OpenSSH-style format and is Base64-encoded, making it human-readable.
Here’s what an SSH user certificate looks like when you open "user_key-cert.pub":
ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EAAAADAQABAAABAQC...AAE= user@host
Just like a regular SSH public key, the certificate consists of:
- Key type: "ssh-rsa-cert-v01@openssh.com" (or "ssh-ed25519-cert-v01@openssh.com", etc.)
- Base64-encoded certificate data: Includes the public key, metadata, and CA signature.
- Optional comment: Typically the username and hostname.
Since it's a text file, you can view its details with:
ssh-keygen -L -f user_key-cert.pub
This will display parsed details of the certificate, including:
- Key type
- Serial number
- Key ID
- Validity period
- Signing CA
- Principals (allowed usernames)
- Critical options and extensions
Summary
- SSH certificates are signed public keys that contain metadata and a CA signature.
- They are obtained by having a CA sign a standard SSH public key with "ssh-keygen -s".
- The signed key is used like a normal public key, but the SSH server validates it against a trusted CA instead of "authorized_keys".