Certificates
ssh-keygen supports signing of keys to produce
certificates that may be used for user or host authentication. Certificates
consist of a public key, some identity information, zero or more principal
(user or host) names and a set of options that are signed by a Certification
Authority (CA) key. Clients or servers may then trust only the CA
key and verify its signature on a certificate rather than trusting
many user/host keys.
Note: OpenSSH certificates are a different, and
much simpler, format to the X.509 certificates used in SSL / TLS.
Unlike individual user/host keys, which may be stored in a SAF key
ring, SSH certificates may not be stored in SAF key ring.
ssh-keygen supports two types of certificates:
user and host. User certificates authenticate users to servers, whereas
host certificates authenticate server hosts to users. To generate
a user certificate, do the following:
ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub/path/to/user_key-cert.pub.
A host certificate requires the -h option: ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub/path/to/host_key-cert.pub.In all cases, key_id is a "key identifier" that is logged by the server when the certificate is used for authentication.
Certificates may be limited to be valid for a set of principal
(user/host) names. By default, generated certificates are valid for
all users or hosts. To generate a certificate for a specified set
of principals:
ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pubFinally, certificates may be defined with a validity lifetime. The -V option allows specification of certificate start and end times. A certificate that is presented at a time outside this range will not be considered valid. By default, certificates are valid from UNIX Epoch to the distant future.
For certificates to be used for user or host authentication, the CA public key must be trusted by sshd or ssh.