Skip to main content
banner image
venafi logo

What Are the Benefits of SSH Certificates?

What Are the Benefits of SSH Certificates?

April 8, 2021 | Atanas Chuchev

SSH certificates have been around for several years and more organizations are adopting SSH certificates as a way to avoid some of the risks that come with standard SSH key pairs.

SSH certificates offer a fantastic method to solve some pain points growing teams and infrastructure. SSH certificates are digitally signed objects that have metadata like username/hostname, restrictions, end date, and more. This helps avoid many of the challenges and risks associated with traditional SSH keys because usage can be tracked and, like TLS certificates, they automatically expire.

SSH certificates can be cryptographically verified and, like traditional SSH keys, are exchanged between client and host during the SSH handshake. How exactly do SSH certificates work to secure your organizations machine identities?

Validity Period and Revocation

A major advantage of SSH certificates is the validity period. They are valid for only a specific period and after that they will no longer be trusted. The validity period can be days, hours, even minutes.

It’s even better when using short-lived certificates. Administrators will no longer need to make sure that the revocation lists are populated with revoked certificates. If an employee loses access (e.g., if they leave the company), their existing certificate will expire, and they will not be able to get a new one. This passive revocation is an advantage in the case of a compromised private key. If there is a lost or stolen laptop, a short-lived SSH certificate is worthless for accessing internal infrastructure by an unauthorized third party.

User Onboarding and Offboarding

Many organizations have described processes of onboarding and offboarding users that includes SSH access. It’s not surprising that security regulations around these processes are not always strictly adhered to. Throughout the years, as administrators leave and new administrators come join, old keys get left behind. Not knowing what old keys are left behind is a major problem, as it is unlikely new administrators will be able to regenerate and replace all existing keys that are in use.

When using SSH certificates, the onboarding process is simplified to issue a new certificate for every new administrator. As servers are trusting a certificate authority, rather than individual public keys, there is no need to configure each server.

When offboarding users that are using short-lived certificates, you can simply allow them expire without renewing them, and certificates can be revoked if they are valid for long periods of time.

Trusting Remote Servers

When a client is connecting to a server for the first time, the user is prompted to verify the public key of the server. Once accepted, the client will not prompt the user again unless there is a new public key. This process is called Trust on First Use (TOFU). 

When using traditional SSH keys, you need to put the public keys of all your servers on all client devices. This is not a big deal if organizations are using bastion (aka jump) servers. Otherwise, this can be a challenge.

Trusting a certificate authority by adding its public key is a very simple process. This will allow organizations to add new servers or replace them without administrators to see the "host key has changed" error messages.

Host certificates allow multiple hosts to share a principal without needing to share the same private key, which is incredibly useful when using load balanced SSH connections.


Related Posts

Like this blog? We think you will love this.
Featured Blog

All About SSH Key Management and SSH Machine Identities

SSH is a secure way to initiate remote computer access and en

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Atanas Chuchev
Atanas Chuchev
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more