SSH certificates have been around for several years. But they have not been widely adopted. However, with digital transformation driving exponential growth in the use of SSH machine identities, organizations are starting to consider SSH certificates as a way to avoid some of the risks and complexities that come with managing standard SSH key pairs.
But many organizations are still unsure about the benefits of SSH Certificates. Below are just a few of the main advantages of using SSH certificates in your organization.
SSH certificates offer a fantastic method to solve some of the pain points faced by growing teams and growing infrastructure. Many of these challenges result from SSH key sprawl, a problem that is exacerbated by the fact that SSH keys never expire, so they can accumulate over time and can be difficult to locate and manage. Unlike keys, SSH certificates are digitally signed objects that have metadata like username/hostname, restrictions, end date, and more which help avoid many of the challenges and risks associated with traditional SSH keys because usage can be tracked and like TLS certificates, they automatically expire, which allows you to better manage their risk exposure.
Like traditional SSH keys, SSH certificates can also be cryptographically verified and are exchanged between client and host during the SSH handshake.
SSH user certificates identify clients (in most of the cases these are users or applications) to servers and SSH host certificates identify servers to clients. Like Subject Alternative Name UPN/DNS for X.509 certificates, SSH certificates have a principals field that holds the identity of who is using the certificate.
Enforcing policies for validity period and revocation
One big advantage of SSH certificates is the validity period. They are valid for a specific period and after that they will not be trusted anymore. The validity period can be days, hours, even minutes. Anyone who’s dealt with the damaging effects of SSH key sprawl can imagine the range of benefits of having automatic expiry with SSH certificates. Reduced key sprawl, preventing keys being shared or compromised, SSH rotation policies being enforced and helping prevent failed SSH audits are just some of the benefits that can come from using SSH certificates.
An additional benefit of automatic expiry comes into play if an employee loses access (e.g., they leave the company), their existing certificate will expire, and they will not be able to get a new one. This passive revocation is a big advantage in case of a compromised private SSH key. If there is a lost or stolen laptop, a short-lived SSH certificate is worthless for accessing internal infrastructure.
These are just a few advantages of SSH certificates but it’s clear that SSH certificates are here to stay and go a long way to helping enforce SSH policies, reducing the complexity of managing SSH keys and minimizing your threat vector when it comes to SSH.
To learn more about SSH Certificates and how to establish an SSH Machine Identity Management Strategy visit https://www.venafi.com/platform/ssh-protect