Signed SSH Certificates using Hashicorp Vault

Signed SSH Certificates using Hashicorp Vault

The idear of signed SSH certificates verification is to use valid (signed) SSH certificate to be verified by SSH server or by SSH client, or by both.


Vaildated by SSH server

Client retrieves signed public key which issued by the CA key in Vault. This key has short expiry date.

Server uses the CA public key configured in SSH configuration, validates the client public key issued by Vault.

Validated by SSH client

This is to validate server public whether signed by Vault by place public key in .ssh/known_hosts file. This key should have long expiry date.


Vault Server preparation

  • Login into Vault
export VAULT_ADDR=''
export VAULT_TOKEN="<token>"
  • Enable SSH secret engine
$ vault secrets enable -path=ssh-client-signer ssh
Successfully mounted 'ssh' at 'ssh-client-signer'!
  • Configure CA
$ vault write ssh-client-signer/config/ca generate_signing_key=true
Key             Value
---             -----
public_key      ssh-rsa AAAAB3NzaC1yc2EA...
  • Create Role

Beware of *allowed_users" and "default_user", they must be set correctly.

$ vault write ssh-client-signer/roles/my-role -<<"EOH"
  "allow_user_certificates": true,
  "allowed_users": "*",
  "allowed_extensions": "permit-pty,permit-port-forwarding",
  "default_extensions": [
      "permit-pty": ""
  "key_type": "ca",
  "default_user": "ubuntu",
  "ttl": "30m0s"

SSH Server Setup

  • Login to Vault
export VAULT_ADDR=''
export VAULT_TOKEN="<token>"
  • Save CA key
# vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem
  • Configure SSHD

Add following lines in /etc/ssh/sshd_config

TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
  • Restart SSHD
# systemctl restart sshd

SSH Client

  • Generate SSH key pair if haven't done
$ ssh-keygen -t rsa -C ""

This will generate a pair of files, .ssh/id_rsa and .ssh/

  • Generate and save signed public key using client public key
$ vault write -field=signed_key ssh-client-signer/sign/my-role \
    public_key=@$HOME/.ssh/ >
  • Verify signed key (optional)

This can verify the valid period and user

$ ssh-keygen -Lf ~/.ssh/
        Valid: from 2021-11-27T17:51:29 to 2021-11-27T18:21:59
  • Login to server using both signed key and private key
$ ssh -i -i ~/.ssh/id_rsa username@

Note: Add following configure in /etc/ssh/sshd_config if got error __userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]__

CASignatureAlgorithms ^ssh-rsa


Signed SSH Certificates
Leveraging Signed SSH for Remote Access with Vault

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

The reCAPTCHA verification period has expired. Please reload the page.