Devops on Tech ramblings by Marcinhttps://marcin.cylke.com.pl/tags/devops/Recent content in Devops on Tech ramblings by MarcinHugo -- gohugo.ioen-usWed, 15 Apr 2026 00:00:00 +0000SSH certificates: the better SSH experiencehttps://marcin.cylke.com.pl/til/2026-04-15-ssh-certificates/Wed, 15 Apr 2026 00:00:00 +0000https://marcin.cylke.com.pl/til/2026-04-15-ssh-certificates/<p>Inspired by <a href="https://jpmens.net/2026/04/03/ssh-certificates-the-better-ssh-experience/">this post by JP Mens</a>.</p> <p>Instead of distributing public keys to every server&rsquo;s <code>authorized_keys</code>, you can use a Certificate Authority (CA) to sign SSH keys. This eliminates <code>ssh-copy-id</code>, manual <code>authorized_keys</code> edits, and TOFU prompts for new hosts.</p> <p><strong>How it works:</strong></p> <ol> <li> <p>Create a CA key pair on a secure machine</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="nb">umask</span> 077<span class="p">;</span> mkdir CA </span></span><span class="line"><span class="cl">ssh-keygen -t ecdsa -C <span class="s2">&#34;My SSH CA&#34;</span> -f CA/ssh-ca </span></span></code></pre></div></li> <li> <p>Sign user public keys with the CA, specifying allowed principals (login names)</p>