SSH: Support CA signed client and host keys

Shows how to use CA signed client and host keys to ease key management.

Date Entered: 04/14/2016    Last Updated: 04/14/2016

When working with large numbers of clients and servers using SSH CA signing may be beneficial to reduce the amount of work involved in key management. To briefly recap some of the benefits of this approach:

  • CA Signed SSH Host Keys: Clients that connect can trust the CA's public key, and thereby trust any host that has a key signed by the CA. This means the client only needs to worry about one public key, not every key for every server.
  • CA Signed Client Keys: Keys used for client authentication (public key authentication) can be signed by a CA, and servers can be configured to trust any client key that was signed by the CA. This means servers only need to worry about one public key, not every key for every client.

This article does not focus on how to implement SSH CA signing for clients and servers, but rather shows how to support using these CA keys in the IPWorks SSH components to connect and authenticate.

CA Signed SSH Host Keys

When establishing a connection to a SSH Host the component can be configured to trust the host key based on the CA's public key that signed the host key. To enable this set SSHAcceptServerCAKey to the CA's public key. For instance:

sftp.Config("SSHAcceptServerCAKey=ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB..."); sftp.SSHLogon("myserver", 22);

CA Signed Client Keys

When authenticating to a server via public key authentication specify the client's private key in SSHCert and the corresponding signed public key via SignedSSHCert. For instance:

sftp.SSHCert = new Certificate(CertStoreTypes.cstPEMKeyFile, "..\\keys\\myuser.pem", "test", "*"); sftp.Config("SignedSSHCert=" + File.ReadAllText("..\\keys\\myuser-cert.pub")); sftp.SSHUser = "test"; sftp.SSHLogon("myserver", 22);

We appreciate your feedback.  If you have any questions, comments, or suggestions about this entry please contact our support team at kb@nsoftware.com.