Normally, SSH works like this:
You create a key pair:
The gateway stores your public key in a file called ~/.ssh/authorized_keys.
In the worst case, some would consider sharing private key. But:
If they mess something up (delete data, open a security hole), it looks like you did it.
You lose all accountability—you can't prove it wasn't you.
It's nearly impossible to revoke just one "copy" of a shared key. You have to rebuild trust everywhere.
SSH certificates fix these problems by adding a "digital signature" to your public key.
Here’s what changes:
| Without Certificates | With Certificates |
|---|---|
| You must copy each public keys to each gateway | No need! Gateways just trust the CA |
| Hard to expire keys | Certificates can have an expiration time |
| Revoking access = manual cleanup | Just stop signing new certs or update the CA |
| Everyone has unique, unmanaged keys | Central authority manages who gets certs |
This guide provides a step-by-step approach to generating and using SSH certificates to authenticate users accessing gateways. It assumes a working knowledge of SSH and access to a Linux-based system with OpenSSH installed.
You will create a Certificate Authority (CA) once, and configure a gateway to trust certificates instead of raw public keys. Then for each user, sign their SSH key.
Ensure first that OpenSSH is installed on your system:
ssh -V
Verify that OpenSSH version 5.4 or later is installed. Update if necessary.
Log in to a secure system that will act as the Certificate Authority (CA).
Generate a key pair:
root@365870ffa28f:~# mkdir -p ~/ca && cd ~/ca
root@365870ffa28f:~/ca# ssh-keygen -t ed25519 -f ca_user_key
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ca_user_key.
Your public key has been saved in ca_user_key.pub.
The key fingerprint is:
SHA256:K/fFq5EVsIsysBm0K6DyFdMgog9j5zAuRzKwo6M3jhA root@365870ffa28f
The key's randomart image is:
+--[ED25519 256]--+
|o . o . |
|oo o + o |
|X+..* . . . |
|=X= O . . . |
|E.+.= o S . . |
|+= o o . + |
|o + . o o o |
|.+ . o . o . |
|. . o.. |
+----[SHA256]-----+
You can use key type
ed25519if you want more security, or any other key type supported by the gateway (rsa >= 2048orecdsa)
This generates two files:
This private key will be used to sign all your user's key. Be sure to keep it in a safe and secure place.
The generation part automatically generate the public part in ca_user_key.pub file. You need to send this file to the gateway into folder /etc/ssh/trusted_user_ca_keys.d/, either:
echo "ssh-ed25519 AAAA....lCxDQ" > /etc/ssh/trusted_user_ca_keys.d/my_ca_user_key.pub
scp ca_user_key.pub gateway:/etc/ssh/trusted_user_ca_keys.d/my_ca_user_key.pub
Users generate their own SSH key pair (if they don’t already have one):
user@mypc:~/$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ~/.ssh/id_ed25519.
Your public key has been saved in ~/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:QAJN2PA7kAfeDosblMTahz5waOy3hCu8u9EdlWA/HLU
The key's randomart image is:
+--[ED25519 256]--+
|..+Boo.... |
|.oo=+o+ o . |
|o==.+ .* E |
|=++*..... |
|=+o.+. S |
| =+o... |
|o.+o.. |
|.o.. |
|.++ |
+----[SHA256]-----+
The CA administrator signs the user's public key using the CA user private key (given by the -s option) generated during step 1.
root@365870ffa28f:~# ssh-keygen -s ca_user_key -I user_identity -n root -V -1w:+1w id_ed25519-user.pub
Enter passphrase:
Signed user key id_ed25519-user-cert.pub: id "user_identity" serial 0 for root valid from 2023-02-20T09:31:53 to 2023-03-06T09:31:53
-I user_identity: Identifier for the certificate.-s ca_user_key: CA user private key-n username: User principal name.-V -1w:+1w: Validity period (e.g., +/-7 days).Please visit ssh-keygen manual to see all options for ssh-keygen command
Provide the signed certificate (id_ed25519-user-cert.pub) to the user. Place it in the same directory as their private key:
mv id_ed25519-user-cert.pub ~/.ssh/
Ensure the following permissions:
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519-user-cert.pub
In order to connect, you must specify the certificate to use using the -o option, and provide the identity file (private key) to use using the -i option
user@mypc:~$ ssh -o CertificateFile=~/.ssh/id_ed25519-user-cert.pub -i ~/.ssh/id_ed25519 root@klk-wifc-f9afb4
Last login: Mon Feb 27 09:57:03 2023 from 54.238.145.49
root@klk-wifc-0700B4:~#
You can use ssh configuration file in ~/.ssh/config to make these parameter automatic:
Host klk-*
User root
CertificateFile ~/.ssh/id_ed25519-user-cert.pub