14.3.5. Creating SSH Certificates

A certifcate is a signed public key. The user's and host's public keys must be copied to the CA server for signing by the CA server's private key.


Copying many keys to the CA to be signed can create confusion if they are not uniquely named. If the default name is always used then the latest key to be copied will overwrite the previously copied key, which may be an acceptable method for one administrator. In the example below the default name is used. In a production environment, consider using easily recognizable names. It is recommend to have a designated directory on the CA server owned by an administrative user for the keys to be copied into. Copying these keys to the root user's /etc/ssh/ directory is not recommend. In the examples below an account named admin with a directory named keys/ will be used.
Create an administrator account, in this example admin, and a directory to receive the user's keys. For example:
~]$ mkdir keys
Set the permissions to allow keys to be copied in:
~]$ chmod o+w keys
ls -la keys
total 8
drwxrwxrwx. 2 admin admin 4096 May 22 16:17 .
drwx------. 3 admin admin 4096 May 22 16:17 .. Creating SSH Certificates to Authenticate Hosts

The command to sign a host certificate has the following format:
ssh-keygen -s ca_host_key -I host_name -h ssh_host_rsa_key.pub
The host certificate will named ssh_host_rsa_key-cert.pub.

Procedure 14.4. Generating a Host Certificate

To authenticate a host to a user, a public key must be generated on the host, passed to the CA server, signed by the CA, and then passed back to be stored on the host to present to a user attempting to log into the host.
  1. Host keys are generated automatically on the system. To list them enter the following command:
    ~]# ls -l /etc/ssh/ssh_host*
    -rw-------. 1 root root  668 May  6 14:38 /etc/ssh/ssh_host_dsa_key
    -rw-r--r--. 1 root root  590 May  6 14:38 /etc/ssh/ssh_host_dsa_key.pub
    -rw-------. 1 root root  963 May  6 14:38 /etc/ssh/ssh_host_key
    -rw-r--r--. 1 root root  627 May  6 14:38 /etc/ssh/ssh_host_key.pub
    -rw-------. 1 root root 1679 May  6 14:38 /etc/ssh/ssh_host_rsa_key
    -rw-r--r--. 1 root root  382 May  6 14:38 /etc/ssh/ssh_host_rsa_key.pub
  2. Copy the chosen public key to the server designated as the CA. For example, from the host:
    ~]# scp /etc/ssh/ssh_host_rsa_key.pub admin@ca-server.example.com:~/keys/ssh_host_rsa_key.pub
    The authenticity of host 'ca-server.example.com (' can't be established.
    RSA key fingerprint is b0:e5:ea:b8:75:e2:f0:b1:fe:5b:07:39:7f:58:64:d9.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'ca-server.example.com,' (RSA) to the list of known hosts.
    admin@ca-server.example.com's password:
    ssh_host_rsa_key.pub                           100%  382     0.4KB/s   00:00
    Alternately, from the CA:
    ~]$ scp root@host_name.example.com:/etc/ssh/ssh_host_rsa_key.pub ~/keys/ssh_host_rsa_key.pub
  3. On the CA server, sign the host's public key. For example, as root:
    ~]# ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -Z host_name.example.com -V -1d:+54w /home/admin/keys/ssh_host_rsa_key.pub
    Enter passphrase:
    Signed host key /home/admin/keys/ssh_host_rsa_key-cert.pub: id "host_name" serial 0 for host_name.example.com valid from 2015-05-26T12:21:54 to 2016-06-08T12:21:54
    Where host_name is the host name of the system requiring the certificate.
  4. Copy the certificate to the host. For example, from the CA:
    ~]# scp /home/admin/keys/ssh_host_rsa_key-cert.pub root@host_name.example.com:/etc/ssh/
    root@host_name.example.com's password:
    ssh_host_rsa_key-cert.pub                      100% 1384     1.5KB/s   00:00
  5. Configure the host to present the certificate to a user's system when a user initiates the login process. As root, edit the /etc/ssh/sshd_config file as follows:
    HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
  6. Restart sshd to make the changes take effect:
    ~]# service sshd restart
  7. On user's systems. remove keys belonging to hosts from the ~/.ssh/known_hosts file if the user has previously logged into the host configured above. When a user logs into the host they should no longer be presented with the warning about the hosts authenticity.
To test the host certificate, on a client system, ensure the client has set up the global /etc/ssh/known_hosts file, as described in Procedure 14.3, “Trusting the Host Signing Key”, and that the server's public key is not in the ~/.ssh/known_hosts file. Then attempt to log into the server over SSH as a remote user. You should not see a warning about the authenticity of the host. If required, add the -v option to the SSH command to see logging information.