OpenSSH Certificate¶

An OpenSSH Certificate is a specialized mechanism used to authenticate users or hosts, designed to mitigate the operational overhead associated with traditional public key management.^[600-developer__tools__security__certificate.md]

Composition¶

Unlike a standard public key, an OpenSSH Certificate consists of the public key combined with specific metadata.^[600-developer__tools__security__certificate.md] This metadata includes a unique serial number, the certificate's validity period, the identity of the signing Certificate Authority (CA), and the registered principal (user or host).^[600-developer__tools__security__certificate.md]

Advantages over Public Keys¶

While traditional public key authentication requires administrators to manually trust and install individual public keys on every target server—a process that becomes unmanageable at scale—OpenSSH Certificates utilize a centralized trust model.^[600-developer__tools__security__certificate.md] In this model, servers only need to trust the public key of a single CA, allowing them to verify certificates signed by that authority without storing individual user keys.^[600-developer__tools__security__certificate.md]

Sources¶

^[600-developer__tools__security__certificate.md]