SSH Certificate-Based Authentication

Generating Certificate Authority (CA)

=ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca=
$ ls -l
total 8
-rw-------. 1 root ssh_keys 3381 Mar 19 14:30 host_ca
-rw-r--r--. 1 root ssh_keys  737 Mar 19 14:30

Issuing host certificates (to authenticate hosts to users)

Use host key ( )and sign it with the CA key:

ssh-keygen -s host_ca -I -h -n -V +52w
$ ls -l
-rw------- 1 root ssh_keys 3247 Mar 17 14:49 ssh_host_rsa_key
-rw-r--r-- 1 root ssh_keys 2369 Mar 17 14:50
-rw-r--r-- 1 root ssh_keys  764 Mar 17 14:49 contains the signed host certificate.

Server (on

First, copy the three files you just generated to the server, store them under the /etc/ssh directory, set the permissions to match the other files there, then add this line to your/etc/ssh/sshd_config file:

HostCertificate /etc/ssh/

Once this is done, restart sshd with systemctl restart sshd.


For your local ssh client to make use of this (and automatically trust the host based on the certificate's identity), you will also need to add the CA's public key to your known_hosts file.

You can do this by taking the contents of the file, adding @cert-authority * to the beginning, then appending the contents to ~/.ssh/known_hosts:

@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDwiOso0Q4W+KKQ4OrZZ1o1X7g3yWcmAJtySILZSwo
Topic revision: r1 - 17 May 2023, Dibiase
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki_Virgo_LSC? Send feedback