How to Secure SSH Access with Certificate‑Based Authentication

Why Switch to Certificate Login?

Traditional SSH authentication uses passwords or static public‑key pairs, both of which have drawbacks: passwords are vulnerable to brute‑force attacks, and managing public keys across many users and servers becomes cumbersome, especially when employees leave.

What Is SSH Certificate Login?

Certificate login introduces a Certificate Authority (CA) that issues short‑lived certificates for both servers and users. During authentication, the client and server exchange certificates instead of pre‑shared public keys, simplifying management and improving scalability.

Overall Certificate Workflow

User and server send their public keys to the CA.

CA signs the server’s public key, producing a server certificate.

CA signs the user’s public key, producing a user certificate.

When logging in, SSH automatically presents the user certificate to the server.

The server validates the user certificate against the trusted CA.

SSH then sends the server certificate to the client.

The client validates the server certificate against the trusted CA.

After both certificates are trusted, the SSH connection is established.

Generate CA Keys

The CA requires at least two key pairs: one for signing user certificates ( user_ca) and another for signing server certificates ( host_ca).

# Generate CA key for signing user certificates
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/user_ca -C user_ca

Resulting files in ~/.ssh: user_ca (private key) user_ca.pub (public key)

# Generate CA key for signing server certificates
$ ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca

Resulting files in ~/.ssh: host_ca (private key) host_ca.pub (public key)

Sign a Server Certificate

First ensure the SSH server has its host key ( /etc/ssh/ssh_host_rsa_key). If missing, generate it:

$ sudo ssh-keygen -f /etc/ssh/ssh_host_rsa_key -b 4096 -t rsa

Copy the server’s public key ( ssh_host_rsa_key.pub) to the CA host, then sign it:

$ ssh-keygen -s host_ca -I host.example.com -h -n host.example.com -V +52w ssh_host_rsa_key.pub

This creates ssh_host_rsa_key-cert.pub, a server certificate valid for 52 weeks. Verify with: $ ssh-keygen -L -f ssh_host_rsa_key-cert.pub Set restrictive permissions:

$ chmod 600 ssh_host_rsa_key-cert.pub

Sign a User Certificate

If the client lacks a key pair, generate one: $ ssh-keygen -f ~/.ssh/user_key -b 4096 -t rsa Upload user_key.pub to the CA host, then sign it:

$ ssh-keygen -s user_ca -I [email protected] -n user -V +1d user_key.pub

This produces user_key-cert.pub, a user certificate valid for one day. Verify with: $ ssh-keygen -L -f user_key-cert.pub Restrict permissions:

$ chmod 600 user_key-cert.pub

Install the Server Certificate

Copy the server certificate to the SSH server and reference it in /etc/ssh/sshd_config:

$ scp ~/.ssh/ssh_host_rsa_key-cert.pub [email protected]:/etc/ssh/

HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

Restart the SSH daemon:

$ sudo systemctl restart sshd.service
# or
$ sudo service sshd restart

Trust the CA on the Server

Copy the CA’s public key ( user_ca.pub) to the server and add it to sshd_config: TrustedUserCAKeys /etc/ssh/user_ca.pub This makes the server trust any user certificate signed by user_ca. Alternatively, add the CA key to a specific user’s ~/.ssh/authorized_keys with the @cert-authority prefix.

Configure the Client

Place the user certificate ( user_key-cert.pub) alongside the private key ( user_key) on the client.

To trust server certificates, add the CA’s public key ( host_ca.pub) to the client’s known‑hosts files:

@cert-authority *.example.com ssh-rsa AAAAB3Nz...XNRM1EX2gQ==

Domain patterns (e.g., *.example.com) limit which servers are trusted.

Connecting with Certificates

$ ssh -i ~/.ssh/user_key [email protected]

The -i option points to the private key; if the certificate resides in the same directory, SSH will automatically use it.

Revoking Certificates

To revoke a server certificate, remove the corresponding @cert-authority line from the client’s known_hosts file.

To revoke a user certificate, create a /etc/ssh/revoked_keys file on the server and reference it in sshd_config: RevokedKeys /etc/ssh/revoked_keys Add a revoked key entry with:

$ ssh-keygen -kf /etc/ssh/revoked_keys -z 1 ~/.ssh/user1_key.pub

Increment -z for additional keys.