Using SSH Certificates Instead of SSH Keys

Using SSH Certificates Instead of SSH Keys
Alexa Cardenas
Fri, 09/16/2022 – 08:00

But many organizations are still unsure about the benefits of switching from SSH keys. Below are just a few of the main advantages of using SSH certificates in your organization.

What are the challenges of SSH keys?

SSH certificates offer a fantastic method to solve some of the pain points faced by growing teams and growing infrastructure.

Key sprawl

Many of these challenges result from SSH key sprawl, a problem that is exacerbated by the fact that SSH keys never expire, so they can accumulate over time and can be difficult to locate and manage. Unlike keys, SSH certificates are digitally signed objects that have metadata like username/hostname, restrictions, end date, and more which help avoid many of the challenges and risks associated with traditional SSH keys because usage can be tracked and like TLS certificates, they automatically expire, which allows you to better manage their risk exposure.

Trust on first use

When an SSH connection is first established, the server sends the public key to identify itself to the user. That user then assumes that the connection is trusted. This authentication process is called “trust on first use”. However, if there are changes to the host’s IP, name, or public key, then the user should no longer trust the connection and will see a warning display. Since an IP address and a hostname can be reused many times in a cloud environment, users learn to ignore these warnings. In the case that the connection is unsecure, this can open the door for attackers.

The advantages of using SSH certificates.

Like traditional SSH keys, SSH certificates can also be cryptographically verified and are exchanged between client and host during the SSH handshake. 

SSH user certificates identify clients (in most of the cases these are users or applications) to servers and SSH host certificates identify servers to clients. Like Subject Alternative Name UPN/DNS for X.509 certificates, SSH certificates have a principals field that holds the identity of who is using the certificate. 

Enforcing policies for validity period and revocation

One big advantage of SSH certificates is the validity period. They are valid for a specific period and after that they will not be trusted anymore. The validity period can be days, hours, even minutes. Anyone who’s dealt with the damaging effects of SSH key sprawl can imagine the range of benefits of having automatic expiry with SSH certificates. Reduced key sprawl, preventing keys being shared or compromised, SSH rotation policies being enforced and helping prevent failed SSH audits are just some of the benefits that can come from using SSH certificates.

An additional benefit of automatic expiry comes into play if an employee loses access (e.g., they leave the company), their existing certificate will expire, and they will not be able to get a new one. This passive revocation is a big advantage in case of a compromised private SSH key. If there is a lost or stolen laptop, a short-lived SSH certificate is worthless for accessing internal infrastructure.

These are just a few advantages of SSH certificates but it’s clear that they are here to stay and go a long way to helping enforce SSH policies, reducing the complexity of managing SSH keys and minimizing your threat vector when it comes to SSH.

To learn more about establishing an SSH Machine Identity Management Strategy visit

Related Posts


A. Morris
What does the future of SSH look like? SSH Certificates.

SSH certificates have been around for several years. But they have not been widely adopted. However, with digital transformation driving exponential growth in the use of SSH machine identities, organizations are starting to consider SSH certificates as a way to avoid some of the risks and complexities that come with managing standard SSH key pairs.

SSH Machine Identity Management for Dummies – Download for FREE Now!
UTM Medium

UTM Source

UTM Campaign

*** This is a Security Bloggers Network syndicated blog from Rss blog authored by Alexa Cardenas. Read the original post at: