What are SSH Certificates?

SSH Certificates are a superior alternative to the traditional private/public SSH keys. By default, Linux systems support SSH certificates. This endpoint allows a CA to issue an SSH Certificate with an expiration date. Then, your local CA signs the client's public key.

The SSH certificate has the OpenSSH certificate format; it is not a X.509 certificate. This endpoint requests Client or Host certificates for SSH access. In this section, the term "client" refers to a person or application performing SSH operations. The "host" refers to the target machine.

In cases when you are not able to securely generate private keys, SSH Protect can generate and issue the corresponding SSH certificate. Otherwise, the client or host can only send the public key for signing.

• Client certificates: Authenticate and prove their identity to target machines. In many cases when human users need SSH access, they use short-lived certificates. These certificates expire in a short period of time, such as hours.

• Host certificates: Identify hosts to clients. Such certificates contain a Fully Qualified Domain name (FQDN) or IP address of the host.