SSH Certificate Authority & Host Authentication

SSH Certificate Authority (SSH CA) and Host Authentication work together to provide a trusted, scalable authentication system for both users and servers.

• SSH CA allows a central authority to sign user and host SSH keys, eliminating the need for manually distributing public keys.
• Host Authentication ensures clients only connect to verified servers, preventing man-in-the-middle attacks.

By combining these, organizations can centrally manage SSH access, enforce trust, and improve security without relying on static key management.

1. SSH Public Key Signed by a CA (User Authentication)
When a CA signs a user’s SSH key, it adds a certificate format:

ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2... user@client

• ssh-rsa-cert-v01@openssh.com → Indicates the key is signed by a CA.
• AAAAHNzaC1yc2... → The actual public key data.
• user@client → The username and host.

ssh-keygen -L -f user-key-cert.pub

Type: ssh-rsa-cert-v01@openssh.com
Valid: from 2024-01-01 to 2025-01-01
Principals: user1, admin
Key ID: user-key-001
Signed by: CA-key