Configuring your clients to trust the Venafi SSH CA

Your SSH Certificate setup is not complete until you have configured your client machines so they can connect to servers. Client machines must be configured to trust the public key of your SSH CA. Once configured, clients will be able to recognize your servers which are using certificates issued by your CA.

To configure a client device to trust your SSH CA (for host authentication)

  1. Retrieve the CA public key using the SDK (See POST SSHCertificates/Request).

  2. On the client machine, add the CA's public key to either of the following locations:

    • the individual users's ~/ssh/known_hosts file.

    • the global /etc/ssh/ssh_known_hosts file.

  3. When adding the CA's public key, use the following format:

    @cert-authority [destination server address] [CA public key material] [Comment]

    For example:

    Copy

    Sample key format

    @cert-authority *.tpp.venafi.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAA
    BAQDIa2xdwLSeLajxniUXgufueAfal/X/e1TrXsrTYEaff4YoqDzj+qPtuZG4ueNJrKJ
    baZeImblfV2WKsM1E2NkfmXVv8mKlmMxloQS3cuUmQKilk/DBW/31rgV5zAKmas29HJG
    dubFVdvvV7dAewndGzadPBHnJcs1bG0Ye7rRAl0UaEEv8+Le5ONoxqv5oDX3/MqaomqT
    KxqQu5y19wigwaiNE/z2PwgWeuFlDkgvOo7iMdynsBGXeEVPaulZ/F1ruh8oFRoVx6EQ
    xGYgtQaZ1pSRSnbaC8UR+PjTlbZgD/GJ0Q6+YTm6pvy/oZmT5ndv3foq8O+kkdgppXmL
    PQ9Oh Production - DMZ - Web Servers

Remember, because you are using SSH certificate authentication, and because the trust is already established between the host/client devices and the SSH CA, you won't see the Trust On First Use (TOFU) warning.

What's next

Now you have configured your host and client devices to use and trust the SSH CA, setup is complete. You are now ready to start authenticating using SSH certificates.

The SSH Protect user interface (e.g. https://domain.example/aperture/ssh-protect) does not support issuing SSH Certificates. These are issued using the WebSDK. Please see the following topics for additional information: