SSH Keys and SSH Certificates compared

When determining your SSH authentication strategy, it is important that you understand the differences between SSH keysets and SSH certificates. Venafi believes that SSH certificates provide a superior experience for administrators and SSH users, in addition to providing better security for protecting your machine identities.

The table below compares several features of SSH keys and SSH certificates to show you how using SSH certificate authentication is more secure and user friendly.

Comparison of SSH Keys and SSH Certificates
Feature	SSH Keys	SSH Certificates
Simplified management	Access must be managed manually on each host device. That means the public key must be manually copied to each server the client needs to log into. Scalability and accuracy are more difficult.	All access is managed centrally in the SSH CA, making it much faster and simpler to manage access between clients and hosts. Approach is scalable and less prone to mistakes. Simplified on-boarding and off-boarding of users.
Key/Certificate Expiration	Do not expire (higher risk).	Set expiration date (lower risk)
Confident authentication	On first connection to a host, a warning message appears to the user, asking them if they trust the host or not. This can make less-technical users nervous, wondering if they have connected to the correct host.	Since the known_hosts file on the client trusts the SSH CA, trust is already established before clients connect the first time. Users are not shown the connection warning, making the connection process more seamless. In addition, multiple hosts can share the same principal without needing the share the same private key.
Digitally signed restrictions	Public keys or source addresses are stored in authorized_keys and sshd_config. These are not signed and are managed manually, which can lead to mistakes. These text files are not secure for any user that has access to their folder location.1 When adding and new user or server, you must manually update every host2 Some administrators, to alleviate this burden, make the mistake of sharing private keys across multiple hosts so that adding additional users or devices is less painful. The security implications are obvious: private keys should never be shared across multiple devices. These administrators aren't trying to increase risk to their organizations, but they do so because the management of keysets can be so painful and time consuming. The use of SSH certificates eliminates this security risk. .	Access is completely managed in the SSH CA. Certificates are digitally signed by the CA, reducing the opportunities for tampering. Restrictions are part of the signed certificate. Updating restrictions only requires you to issue a new certificate from the CA. You do not need to update any of the hosts or clients.