Advanced SSH Key Management - SSH CA

by Hexagon, , Updated: 3 minutes read ssh security developer-tips guide-to-ssh

Venture into advanced SSH key management concepts such as SSH Certificate Authority (CA) and learn how to set up and manage it manually.

Advanced: SSH Certificate Authority (CA)

Secure Shell Certificates offer a significant advantage over traditional SSH key pairs by streamlining the process of user and host authentication. At the heart of this system is the SSH Certificate Authority (CA), which manages the creation, issuance, and revocation of these certificates.


  • Centralized Authentication: Traditional SSH authentication requires copying every user's public key to every server. This becomes cumbersome as your infrastructure grows. With a CA, you only need to distribute the CA's public key, greatly simplifying the authentication process.

  • Revocation: In traditional setups, revoking access would mean searching for and removing a user's public key across multiple servers. With a CA, you can simply invalidate their certificate, ensuring they can't authenticate anymore.

  • Time-bound Certificates: You can specify an expiration date for the certificates. This is perfect for granting temporary access or ensuring that keys need to be periodically refreshed.

Think of the SSH Certificate Authority (CA) as a trusted third party, similar to how websites use Certificate Authorities to verify their identity. With SSH CA, instead of trusting individual keys, you trust the CA, and the CA vouches for individual user keys.

Steps to manually Set Up an SSH CA:

  1. Generate a CA key pair:

This is the first step where you generate the private and public keys for the CA. These keys are extremely critical, especially the private key, as it is used to sign user certificates.

ssh-keygen -f /path/to/ca_key
  1. Sign user keys:

Once you have the CA key pair, you can sign individual user public keys. The following command demonstrates how to sign a user's public key. The -I flag provides an identifier for the certificate, while the -n flag specifies the user or host names that the certificate is valid for.

ssh-keygen -s /path/to/ca_key -I user_identifier -n username,user2 /path/to/user/
  1. Install the CA public key on servers:

For servers to trust certificates signed by the CA, they need to be aware of the CA's public key. You can specify this by adding a configuration in the SSH daemon's configuration file.

Add to /etc/ssh/sshd_config:

TrustedUserCAKeys /path/to/
  1. Handle certificate revocation:

To revoke certificates, create a revoked-keys file and list the revoked key IDs. Update the SSH daemon's configuration to reference this file:

Add to /etc/ssh/sshd_config:

RevokedKeys /path/to/revoked-keys

To revoke a key, add its key ID to the revoked-keys file. This file should be periodically updated on all servers.

  1. Restart SSH:

After updating the SSH configuration, you need to restart the SSH service to apply the changes. The exact command might differ depending on your operating system, but on systems using systemd, the command is:

sudo systemctl restart sshd

Best Practices:

  • Secure the CA's private key: Given its power, it's imperative to keep the CA's private key secure. Consider encrypting it and storing it offline or using hardware security modules (HSMs).

  • Regularly Rotate Certificates: For added security, regularly rotate and refresh your certificates.

  • Monitor and Audit: Continuously monitor certificate creation, revocation, and authentication attempts to detect any suspicious activity.

Using step-ca for SSH CA

step-ca is a lightweight, open-source Certificate Authority (CA) in software form, developed by Smallstep. Designed to be easily deployable and manageable, it brings several advantages to the table, particularly for SSH certificate management.

Advantages of step-ca:

  • Easy Certificate Management: step-ca simplifies the issuance, renewal, and revocation processes. Its command-line tools and APIs allow for effortless certificate operations.

  • Automated Renewals: With step-ca, certificates can be automatically renewed, reducing the administrative overhead of manual renewals.

  • Interoperability: It supports multiple protocols including X.509 for HTTPS/TLS and SSH User & Host certificates. This broadens its application beyond just SSH environments.

  • Rich Documentation: Smallstep provides comprehensive documentation and tutorials for step-ca, ensuring users can make the most of its features.

  • Modern Security Practices: step-ca integrates contemporary security best practices out of the box. Its design ensures that even non-experts can deploy a secure CA.

For more information on its features, benefits, and setup guides, consider visiting the official step-ca GitHub repository and Smallstep's website.


While SSH keys simplify and secure your development workflow, it's essential to be mindful of best practices. If you choose the convenience of a key without a passphrase, ensure you take additional precautions. This includes limiting the key's use, regularly monitoring access, and maintaining backup access methods. Regularly updating and checking the keys you've authorized can help prevent unauthorized access. Additionally, be vigilant about where and how you store your private keys. When set up properly, SSH keys can be a powerful tool in your development and security arsenal.Always remember: security and convenience can co-exist, but careful management is crucial. Happy coding!

Distributing SSH Keys