14.3.5. Creating SSH Certificates

A certifcate is a signed public key. The user's and host's public keys must be copied to the CA server for signing by the CA server's private key.


Copying many keys to the CA to be signed can create confusion if they are not uniquely named. If the default name is always used then the latest key to be copied will overwrite the previously copied key, which may be an acceptable method for one administrator. In the example below the default name is used. In a production environment, consider using easily recognizable names. It is recommend to have a designated directory on the CA server owned by an administrative user for the keys to be copied into. Copying these keys to the root user's /etc/ssh/ directory is not recommend. In the examples below an account named admin with a directory named keys/ will be used.
Create an administrator account, in this example admin, and a directory to receive the user's keys. For example:
~]$ mkdir keys
Set the permissions to allow keys to be copied in:
~]$ chmod o+w keys
ls -la keys
total 8
drwxrwxrwx. 2 admin admin 4096 May 22 16:17 .
drwx------. 3 admin admin 4096 May 22 16:17 .. Creating SSH Certificates to Authenticate Hosts

The command to sign a host certificate has the following format:
ssh-keygen -s ca_host_key -I host_name -h ssh_host_rsa_key.pub
The host certificate will named ssh_host_rsa_key-cert.pub.

Procedure 14.4. Generating a Host Certificate

To authenticate a host to a user, a public key must be generated on the host, passed to the CA server, signed by the CA, and then passed back to be stored on the host to present to a user attempting to log into the host.
  1. Host keys are generated automatically on the system. To list them enter the following command:
    ~]# ls -l /etc/ssh/ssh_host*
    -rw-------. 1 root root  668 May  6 14:38 /etc/ssh/ssh_host_dsa_key
    -rw-r--r--. 1 root root  590 May  6 14:38 /etc/ssh/ssh_host_dsa_key.pub
    -rw-------. 1 root root  963 May  6 14:38 /etc/ssh/ssh_host_key
    -rw-r--r--. 1 root root  627 May  6 14:38 /etc/ssh/ssh_host_key.pub
    -rw-------. 1 root root 1679 May  6 14:38 /etc/ssh/ssh_host_rsa_key
    -rw-r--r--. 1 root root  382 May  6 14:38 /etc/ssh/ssh_host_rsa_key.pub
  2. Copy the chosen public key to the server designated as the CA. For example, from the host:
    ~]# scp /etc/ssh/ssh_host_rsa_key.pub admin@ca-server.example.com:~/keys/ssh_host_rsa_key.pub
    The authenticity of host 'ca-server.example.com (' can't be established.
    RSA key fingerprint is b0:e5:ea:b8:75:e2:f0:b1:fe:5b:07:39:7f:58:64:d9.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'ca-server.example.com,' (RSA) to the list of known hosts.
    admin@ca-server.example.com's password:
    ssh_host_rsa_key.pub                           100%  382     0.4KB/s   00:00
    Alternately, from the CA:
    ~]$ scp root@host_name.example.com:/etc/ssh/ssh_host_rsa_key.pub ~/keys/ssh_host_rsa_key.pub
  3. On the CA server, sign the host's public key. For example, as root:
    ~]# ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -Z host_name.example.com -V -1d:+54w /home/admin/keys/ssh_host_rsa_key.pub
    Enter passphrase:
    Signed host key /home/admin/keys/ssh_host_rsa_key-cert.pub: id "host_name" serial 0 for host_name.example.com valid from 2015-05-26T12:21:54 to 2016-06-08T12:21:54
    Where host_name is the host name of the system requiring the certificate.
  4. Copy the certificate to the host. For example, from the CA:
    ~]# scp /home/admin/keys/ssh_host_rsa_key-cert.pub root@host_name.example.com:/etc/ssh/
    root@host_name.example.com's password:
    ssh_host_rsa_key-cert.pub                      100% 1384     1.5KB/s   00:00
  5. Configure the host to present the certificate to a user's system when a user initiates the login process. As root, edit the /etc/ssh/sshd_config file as follows:
    HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
  6. Restart sshd to make the changes take effect:
    ~]# service sshd restart
  7. On user's systems. remove keys belonging to hosts from the ~/.ssh/known_hosts file if the user has previously logged into the host configured above. When a user logs into the host they should no longer be presented with the warning about the hosts authenticity.
To test the host certificate, on a client system, ensure the client has set up the global /etc/ssh/known_hosts file, as described in Procedure 14.3, “Trusting the Host Signing Key”, and that the server's public key is not in the ~/.ssh/known_hosts file. Then attempt to log into the server over SSH as a remote user. You should not see a warning about the authenticity of the host. If required, add the -v option to the SSH command to see logging information. Creating SSH Certificates for Authenticating Users

To sign a user's certificate, use a command in the following format:
ssh-keygen -s ca_user_key -I user_name -Z user_name -V -start:+end id_rsa.pub
The resulting certificate will be named id_rsa-cert.pub.
The default behavior of OpenSSH is that a user is allowed to log in as a remote user if one of the principals specified in the certificate matches the remote user's name. This can be adjusted in the following ways:
  • Add more user's names to the certificate during the signing process using the -Z option:
    -Z "name1[,name2,...]"
  • On the user's system, add the public key of the CA in the ~/.ssh/authorized_keys file using the cert-authority directive and list the principals names as follows:
    ~]# vi ~/.ssh/authorized_keys
    # A CA key, accepted for any host in *.example.com
    @cert-authority principals="name1,name2" *.example.com ssh-rsa AAAAB5Wm.
  • On the server, create an AuthorizedPrincipalsFile file, either per user or glabally, and add the principles' names to the file for those users allowed to log in. Then in the /etc/ssh/sshd_config file, specify the file using the AuthorizedPrincipalsFile directive.

Procedure 14.5. Generating a User Certificate

To authenticate a user to a remote host, a public key must be generated by the user, passed to the CA server, signed by the CA, and then passed back to be stored by the user for use when logging in to a host.
  1. On client systems, login as the user who requires the certificate. Check for available keys as follows:
    ~]$ ls -l ~/.ssh/
    If no suitable public key exists, generate one and set the directory permissions if the directory is not the default directory. For example, enter the following command:
    ~]$ ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/user1/.ssh/id_rsa):
    Created directory '/home/user1/.ssh'.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/user1/.ssh/id_rsa.
    Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
    The key fingerprint is:
    b1:f8:26:a7:46:87:c3:60:54:a3:6d:85:0d:60:fe:ce user1@host1.example.com
    The key's randomart image is:
    +--[ RSA 2048]----+
    |    oo++.        |
    |   o.o.o.        |
    |   .o o .        |
    |    oo . o       |
    |   . oo.S        |
    |     o=..        |
    |     .Eo+        |
    |      .=         |
    |     ..          |
    By default the directory permissions for a user's keys are drwx------., or octal 0700. If required, confirm the permissions are correct:
    ~]$ ls -la ~/.ssh
    total 16
    drwx------. 2 user1 user1 4096 May  7 12:37 .
    drwx------. 3 user1 user1 4096 May  7 12:37 ..
    -rw-------. 1 user1 user1 1679 May  7 12:37 id_rsa
    -rw-r--r--. 1 user1 user1  421 May  7 12:37 id_rsa.pub
    See Section 14.2.4, “Using Key-Based Authentication” for more examples of key generation and for instructions on setting the correct directory permissions.
  2. The chosen public key must be copied to the server designated as the CA, in order to be signed. The secure copy command can be used to do this, the command has the following format:
    scp ~/.ssh/id_protocol.pub admin@ca_server.example.com:~/keys/
    Where protocol is the part of the file name indicating the protocol used to generate the key, for example rsa, admin is an account on the CA server, and /keys/ is a directory setup to receive the keys to be signed.
    Copy the chosen public key to the server designated as the CA. For example:
    ~]$ scp ~/.ssh/id_rsa.pub admin@ca-server.example.com:~/keys/
    admin@ca-server.example.com's password:
    id_rsa.pub                                  100%  421     0.4KB/s   00:00
    If you have configured the client system to trust the host signing key as described in Procedure 14.3, “Trusting the Host Signing Key” then you should not see a warning about the authenticity of the remote host.
  3. On the CA server, sign the user's public key. For example, as root:
    ~]# ssh-keygen -s ~/.ssh/ca_user_key -I user1 -Z user1 -V -1d:+54w /home/admin/keys/id_rsa.pub
    Enter passphrase:
    Signed user key /home/admin/keys/id_rsa-cert.pub: id "user1" serial 0 for host_name.example.com valid from 2015-05-21T16:43:17 to 2016-06-03T16:43:17
  4. Copy the resulting certificate to the user's ~/.ssh/ directory on their system. For example:
    ~]# scp /home/admin/keys/id_rsa-cert.pub user1@host_name.example.com:~/.ssh/
    user1@host_name.example.com's password:
    id_rsa-cert.pub                             100%  1498    1.5KB/s   00:00
  5. If using the standard file names and location then no further configuration is required as the SSH daemon will search for user certificates ending in -cert.pub and use them automatically if it finds them. Note that the default location and file names for for SSH version 2 keys are: ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa as explained in the ssh_config(5) manual page. If you use these locations and naming conventions then there is no need for editing the configuration files to enable sshd to present the certificate. They will be used automatically when logging in to a remote system. In this is the case then skip to step 6.
    If required to use a non-default directory or file naming convention, then as root, add the following line to the /etc/ssh/ssh_config or ~/.ssh/config files:
    IdentityFile ~/path/key_file
    Note that this must be the private key name, do not had .pub or -cert.pub. Ensure the file permission are correct. For example:
    ~]$ ls -la ~/.ssh/config
    -rw-rw-r--. 1 user1 user1 36 May 27 21:49 /home/user1/.ssh/config
    chmod 700 ~/.ssh/config
    ~]$ ls -la ~/.ssh/config
    -rwx------. 1 user1 user1 36 May 27 21:49 /home/user1/.ssh/config
    This will enable the user of this system to be authenticated by a user certificate when logging into a remote system configured to trust the CA user certificate signing key.
  6. To test the user certificate, attempt to log into a server over SSH from the user's account. You should do this as the user listed as a principle in the certificate, if any are specified. You should not be prompted for a password. If required, add the -v option to the SSH command to see logging information.