Create a Certificate Authority (CA)
Issue certificates for authorized users
Define CA public key and principals name in
~/.ssh/authorized_keysinstead of users’ public keysUse key (
~/.ssh/id_rsa) with CA-issued certificate (~/.ssh/id_rsa-cert.pub) to SSH into serverPer-account SSH certificate setup under
~/; can also be configured at system level (/etc/ssh/sshd_config)Advantages:
- Key rotation simplified; admin issues new certificate for new key, no need to update public keys on server
You can follow the full procedure for using a CA with SSH at https://www.lorier.net/docs/ssh-ca.html or Creating SSH CA Certificate Signing Keys.