Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / ssh and PKI / Host Certificates

Personal tools

ssh and PKI

Using Public Key Authentication for ssh connections

Host Certificates

Creating the Host CA

Remember, the CA is the root of your trust hierarchy so you want to keep it (the private part) safe. Where in your network you manipulate and store these keys depends on who has access to the host and its backups.

Again, this example uses a subdirectory of /etc/ssh as the storage directory. YMMV.

cd /etc/ssh
mkdir -p CAs/hosts
cd CAs/hosts
ssh-keygen -f host_ca

We haven't done anything special here, just generated a regular SSH key pair in a subdirectory.

Signing Host Keys

  1. Retrieve the signee host's RSA pub key:

    scp root@signee-host.example.com:/etc/ssh/ssh_host_rsa_key.pub .
    
  2. Sign the key we've just retrieved with our host_ca key, above:

    ssh-keygen -s host_ca -I "Signee host key Identification String" -h -n signee-host.example.com -V +52w ssh_host_rsa_key.pub
    

    Here, we've passed a few more interesting flags:

    • -s key - we are signing with key
    • -I string - some human-readable identification string
    • -h - this is a host key
    • -n name[,name] - the principals name (s) that this certificate is valid for. Without this (see note below) a certificate is valid from any host (name). Some versions of OpenSSH may use -Z name[,name] instead.
    • -V duration - a duration for the validity of the signature, in this case 52 weeks from now (see ssh_config(5) for TIME FORMATS details, we could have given an explicit YYYYMMDD, for example (though see note below))

    and we'll get back a different SSH filename, ssh_host_rsa_key-cert.pub.

  3. Display the contents of the certificate:

    ssh-keygen -L -f ssh_host_rsa_key-cert.pub
    
  4. Copy the new signed key back:

    scp ssh_host_rsa_key-cert.pub root@signee-host.example.com:/etc/ssh
    
  5. On the signee host, configure sshd to present the signed key:

    1. edit the config file:

      vi /etc/ssh/sshd_config
      

      Edit or add the line:

      HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
      
    2. restart sshd:

      service sshd restart
      

      or:

      systemctl restart sshd
      

      depending on your poison.

  6. Rinse and repeat for all your hosts.

Obviously, you can create multiple host CAs and use different signature validity durations depending on your categories of hosts: infrastructure servers, ephemeral hosts etc..

Trusting the CA

So the remote host is now presenting a signed certificate, we now have to have the users trust it.

Each user needs to edit their known_hosts files and add the following:

@cert-authority *.example.com ssh-rsa AAAA...

Where have have included the optional host specific qualifier and AAAA... is the contents of the CA host_ca.pub file we generated at the start.

Warning

There is a complication in that the hostname matching is all too literal. If you would normally type ssh foo rather than ssh foo.example.com (or ssh IP) for hosts within your domain then neither the certificate's principals name nor the known_hosts statement will match.

You will need to modify the principals to include all the nicknames you would normally use to access the host, e.g.

ssh-keygen -s ... -n foo.example.com,foo,IP1,IP2 ...

You will need to include * (the match-all wildcard) either as another comma-separated hostname or, arguably for clarity, on a line on its own in known_hosts:

@cert-authority * ssh-rsa AAAA...

Note

Officially the SSH Certificates code was released in OpenSSH 5.4 however Redhat/CentOS' openssh-5.3p1 contains an almost complete version. In particular, -V duration doesn't accept the same options and -n name is replaced with -Z name[,name]. Without the principals option the certificates are valid from any (named) host. ie. if such a host was compromised then its certificate could be used from any other.

Document Actions