SSH certificates are an evolution of traditional SSH keys. Instead of using individual keys for authentication (a public and a private key pair), SSH certificates introduce a third component: a private certificate authority (CA). This CA can sign other SSH keys, vouching for their authenticity. An SSH certificate is a public key that a CA has signed. The certificate contains information about the key, owner, and the CA’s signature. When a system sees this certificate, it can trust it if it trusts the CA that signed it. So, let’s get started with the step-by-step instructions on how to go about setting up your SSH Certificate Authority.
Did you know that SSH was created in 1995? In fact, a researcher from the University of Helsinki invented the protocol as a direct result of witnessing a password-sniffing attack 1st hand! The attack involved capturing passwords transmitted over the network by users of the university’s systems. SSH quickly became popular for its ability to provide secure encrypted communications between two untrusted hosts over an insecure network. That being said, there has certainly been no shortage of SSH related breaches in recent years. Companies like T-Mobile, GitLab, and even the Canadian Government have fallen victim to breaches. We’ve actually been saying for quite some time that SSH is the weakest point in most your infrastructure. For more detail on that, read our post about the biggest SSH vulnerabilities to consider in 2024.
So what’s the moral of the story here? Adding a CA to your SSH Authentication operation(s) is one of the most important actions you can take to ensure that your authentication practices are as secure as possible and properly insulated from those pesky hackers. In fact, take a look at how the World’s biggest organizations do SSH these days. Needless to say, had the above organizations properly set up their CAs, it highly likely these situations could have been avoided altogether.,
Again, an SSH certificate authority is just another SSH key. However rather than using it for authenticating the servers or clients directly, it is used to sign and then validate the other keys which are then actually used for authentication.
Step 1: Designating a Dedicated Certificate Authority (CA) Machine First think you’re going to want to do is designate a specific machine to serve as your Certificate Authority. We advise the allocation of a machine exclusively for CA purposes to bolster the security of your signing keys. For enhanced security, consider utilizing a Hardware Security Module (HSM) to safeguard your CA keys.
Step 2: Generating the CA Key Following the machine setup, proceed to create your CA key. Execute the command ‘’’ssh-keygen -f ca’’’. This process will prompt you to input a robust passphrase to secure your private key. The outcome of this command is the generation of two files: ‘“ca”’ and ‘“ca.pub”’. Exercise utmost caution to keep the ‘“ca”’ file confidential, as it contains your private key vital for signing certificates.
Step 3: Configuring Servers to Trust the CA On each server that you wish to enable for certificate authentication, append the line ‘’’TrustedUserCAKeys /etc/ssh/trusted_ca_keys.pub’’’ (or wherever you stored the public key of the CA) to the ‘’’/etc/ssh/sshd_config’’’ file. This action authorizes any SSH certificate signed by your CA for authentication on the server. Post configuration, restart the SSH service using service ssh restart to activate the settings.
Step 4: User SSH Key Creation Users should generate their SSH key via ssh-keygen. This creates two files: ‘“id_rsa”’ and ‘“id_rsa.pub”’ in the user’s .ssh folder. The ‘“id_rsa”’ file, containing the private key, must remain confidential and not be shared.
Step 5: Generating a Signed Certificate The user must then transfer the ‘“id_rsa.pub’” file to the CA. On the CA, run ‘’’ssh-keygen -s ca -I YOURNAME -n root -V +1d -z YOURSERIALNUMBER id_rsa.pub’’’ to generate a signed certificate. This certificate will feature your name as the “Key ID”, “root” as the “Valid Principal”, and will be valid for 1 day.
Step 6: Deploying the Certificate Transfer the resulting “’id_rsa-cert.pub”’ file into the user’s .ssh folder. With this certificate in place, users can authenticate to their endpoint via ssh root@YOURENDPOINT.
Note on Scalability While this method is exemplary for testing, it may not be scalable for larger organizations. Repeatedly generating certificates manually can lead to inefficiencies and frustration. For widespread organizational use, consider implementing a more automated and scalable solution.
While SSH is certainly a cornerstone of secure authentication, its management and security practices are often chock-full of challenges. That’s why we built EZSSH, making passwordless SSH authentication available (and affordable) for everyone! From the overwhelming task of managing a large volume of keys, to the risks posed by static or embedded keys, SSH environments can inadvertently open doors to security threats. It’s essential for organizations to actively consider the state of their SSH key infrastructure and its implications on overall security. Given the complexity and potential risks associated with SSH key management, seeking further information and expert guidance is highly advisable. Whether it’s reassessing your existing protocols or exploring new security strategies, scheduling some time to speak with one of our SSH authentication experts can provide invaluable insights and help fortify your defenses against sophisticated cyber threats. Don’t hesitate to make this a priority; the security and integrity of your network may depend on it. Check out how EZSSH works today!
