Inspired by this post by JP Mens.
Instead of distributing public keys to every server’s authorized_keys, you
can use a Certificate Authority (CA) to sign SSH keys. This eliminates
ssh-copy-id, manual authorized_keys edits, and TOFU prompts for new hosts.
How it works:
Create a CA key pair on a secure machine
umask 077; mkdir CA ssh-keygen -t ecdsa -C "My SSH CA" -f CA/ssh-caSign user public keys with the CA, specifying allowed principals (login names)
# user generates their own key first ssh-keygen -t ecdsa -C "Jane's key" -f jane # CA signs it: -I identity, -n principal (unix login), -V validity ssh-keygen -s CA/ssh-ca -I "Jane Jolie" -n jane -V +1w jane.pubSign host public keys with the CA, specifying validity periods
# on the CA machine, after receiving the server's host public key ssh-keygen -h -s CA/ssh-ca -V +52w -I server01 -n alice.example.com \ ssh_host_ed25519_key.pubOn servers: point
sshd_configat the CA’s public key and the signed host cert# install CA pubkey and signed host cert install -m444 ssh-ca.pub /etc/ssh/ssh-ca.pub install -m444 ssh_host_ed25519_key-cert.pub /etc/ssh/ssh_host_ed25519_key-cert.pub # add to sshd_config echo "TrustedUserCAKeys /etc/ssh/ssh-ca.pub" >> /etc/ssh/sshd_config echo "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" >> /etc/ssh/sshd_config systemctl restart sshdOn clients: add one
@cert-authorityline toknown_hostsecho "@cert-authority *.example.com $(cat CA/ssh-ca.pub)" >> ~/.ssh/known_hosts
What you get:
- No more per-server key deployment
- Certificates expire automatically
- Host key rotation without client warnings
- Optional: IP restrictions, forced commands per certificate