What is an SSH Certificate Authority (CA)?

An SSH Certificate Authority (CA) is a trusted entity that can sign SSH public keys to create certificates. This allows centralized trust management across many servers without managing individual keys.

How do I sign a user SSH key with the CA?

Use the ssh-keygen tool with the -s flag to sign the public key. Example: ssh-keygen -s ca_ed25519 -I opc -n opc user_opc_ed25519.pub

How do I configure the server to trust the CA?

Add the CA's public key to the TrustedUserCAKeys directive in the sshd_config file and restart the SSH service.

How do I configure the client to trust a host certificate signed by a CA?

Add a @cert-authority entry to the known_hosts file on the client, associating the wildcard domain with the CA public key.

Can I restrict the validity of a user certificate?

Yes, by using the -V option with ssh-keygen, you can specify the validity period. Example: -V +365d for a one-year certificate.

HiddenSSH - Secure OpenSSH Hardening

certificate keys

Step 1: Generate an Ed25519 SSH Certificate Authority (CA)


# Generate the SSH CA key pair
ssh-keygen -t ed25519 -f ca_ed25519

# Copy the public key of the CA to your SSH server
ssh-copy-id -i ca_ed25519.pub user@ssh-server

# Edit your SSH server's configuration file to trust the CA key
TrustedUserCAKeys /etc/ssh/ca_ed25519.pub

# Restart your SSH server to apply the changes
systemctl restart sshd

Step 2: Create User Certificates for "opc"


# Generate an Ed25519 SSH key pair for the "opc" user
ssh-keygen -t ed25519 -f user_opc_ed25519

# Sign the user's Ed25519 public key with the CA key to create a user certificate
ssh-keygen -s ca_ed25519 -I opc -n opc user_opc_ed25519.pub

# Optionally, specify a validity period for the certificate (e.g., one year)
ssh-keygen -s ca_ed25519 -I opc -n opc -V +365d user_opc_ed25519.pub

Step 3: Configure the SSH Server and Client


# Configure the SSH server to present the host certificate (if applicable)
# Add the following line to your SSH server's configuration file
HostCertificate /etc/ssh/ssh_host_ed25519-cert.pub

# Configure the client to trust the Certificate Authority (CA) and host certificates (if applicable)
# Edit the known_hosts file on the client machine and add the following entry for trusting the CA
@cert-authority *.example.com <PUBLICKEY>

# Save the known_hosts file

# Example: How the @cert-authority entry should look
@cert-authority *.myexample.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILTX5eLb+K7G1G9/CAnBb3a8AGFjK0cm7zcsJYDpY8Pczd4yvz7wC+3Jh9R7X8ZJ6hx8DrV+Oy0G6Ts4M2rJ3R+kIA3Dq1a8=

# Explanation:
# The *.myexample.com represents a wildcard for any host under the "myexample.com" domain.
# This allows you to trust the CA for all hosts within that domain.
# @cert-authority is a tag indicating the entry is for a certificate authority (CA).

Step 4: Connect to the SSH Server Using User Certificates


# Now, you can use the user certificate to connect to the SSH server
# Replace user@ssh-server with your specific user and server information
ssh -i user_opc_ed25519 user@ssh-server

# The SSH client will automatically present the user certificate signed by the CA to the server
# If everything is configured correctly, you should be able to log in without the need for password authentication