Master SSH Certificate Authentication: A Step‑by‑Step Secure Login Guide

SSH is a server login tool that supports password, key, and certificate authentication. Certificate login addresses the drawbacks of password and key methods by introducing a Certificate Authority (CA) that issues trusted certificates to servers and users.

1. Drawbacks of Non‑Certificate Logins

Password login requires entering the server password, which is inconvenient and vulnerable to brute‑force attacks. Key login requires storing users' public keys on the server and managing them, which becomes cumbersome in large environments.

2. What Is Certificate Login?

Certificate login uses a CA to issue server and user certificates, eliminating the need to exchange public keys beforehand. Users and servers exchange certificates and verify trust, gaining easier management, scalability, and the ability to set expiration dates.

3. Certificate Login Workflow

The process involves the user sending their certificate to the server, the server validating it, the server sending its certificate to the user, the user validating it, and finally establishing a trusted connection.

4. Generating CA Keys

A CA requires a pair of keys. It is recommended to use separate key pairs for signing user certificates (user_ca) and server certificates (host_ca).

# Generate CA key for signing user certificates
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/user_ca -C user_ca

# Generate CA key for signing server certificates
$ ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca

5. CA Issues Server Certificate

Generate the server's host key if it does not exist, then sign it with the host_ca key.

$ sudo ssh-keygen -f /etc/ssh/ssh_host_rsa_key -b 4096 -t rsa

$ ssh-keygen -s host_ca -I host.example.com -h -n host.example.com -V +52w ssh_host_rsa_key.pub

View the certificate details:

$ ssh-keygen -L -f ssh_host_rsa_key-cert.pub

$ chmod 600 ssh_host_rsa_key-cert.pub

6. CA Issues User Certificate

Generate a user key pair if needed, then sign the public key with user_ca.

$ ssh-keygen -f ~/.ssh/user_key -b 4096 -t rsa

$ ssh-keygen -s user_ca -I [email protected] -n user -V +1d user_key.pub

View the user certificate and set permissions:

$ ssh-keygen -L -f user_key-cert.pub

$ chmod 600 user_key-cert.pub

7. Install Server Certificate

Copy the server certificate to the server and configure sshd.

$ scp ~/.ssh/ssh_host_rsa_key-cert.pub [email protected]:/etc/ssh/

HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

$ sudo systemctl restart sshd

8. Install CA Public Key on Server

Copy the user_ca public key to the server and trust it.

$ scp ~/.ssh/user_ca.pub [email protected]:/etc/ssh/

TrustedUserCAKeys /etc/ssh/user_ca.pub

9. Install Client Certificate

Copy the user certificate to the client, placing it alongside the user's private key.

10. Install CA Public Key on Client

Add the host_ca public key to the client's known hosts.

@cert-authority *.example.com ssh-rsa AAAAB3Nz...XNRM1EX2gQ==

11. Revoke Certificates

To revoke a server certificate, edit the known_hosts file. To revoke a user certificate, create /etc/ssh/revoked_keys and reference it in sshd_config.

RevokedKeys /etc/ssh/revoked_keys

$ ssh-keygen -kf /etc/ssh/revoked_keys -z 1 ~/.ssh/user1_key.pub

12. References

SSH Emergency Access, Carl Tashian

Using OpenSSH Certificate Authentication, Red Hat Enterprise Linux Deployment Guide

How to SSH Properly, Gus Luxton