Ssh X509



An X.509 certificate contains a private and a public key. As such it is suitable for password-less login via SSH. However, as always with certificates and keys and all that powerful stuff the handling of it all is very clumsy. Kingsley just explained how to setup SSH with X.509 certificates. I will try to add the missing pieces here.

  1. Ssh-keygen X509
  2. Ssh Vs X509
X509 ssh cisco

Ssh-keygen -t rsa -b 4096 -C 'RSA 4096 bit Keys' Generate an DSA SSH keypair with a 2048 bit private key. Ssh-keygen -t dsa -b 1024 -C 'DSA 1024 bit Keys' Generate an ECDSA SSH keypair with a 521 bit private key. Ssh-keygen -t ecdsa -b 521 -C 'ECDSA 521 bit Keys' Generate an ed25519 SSH keypair- this is a new algorithm added in OpenSSH.

Yes, it is possible to use x509 certificates with ssh, but this is a very esoteric configuration and you are way out of your depth here. An x509 certificate is a signed public key along with prescribed meta-data presented in a prescribed format. You don't need to sign it. In SSH, keys are self-generated (similar, although not the same, to self-signed X.509 certificates), and are authenticated by relying on a fingerprint, which has to be transmitted out-of-band. That makes it easier to use in scenarios where both ends are reasonably trusted. SSH also has built-in mutual authentication.

  1. If you do not have a X.509 certificate yet create one with an embedded WebID via the OpenLink YouID service. Make sure the details actually get saved in the last step, for example by posting an identity claim to your Twitter or LinkedIn accounts. This will make the YouID service persist your profile which in turn will result in your new WebID being dereferencable. Kingsley has some nice Linked data details on that in his post.
  2. Export the new certificate which should now be installed in your browser’s key store, into a P12 file. This can be done via the certificate viewer in the browser preferences.
  3. Convert the P12 into PEM format:
  4. Extract the private key from the P12:
  5. Finally extract the public key from the certificate PEM file and append it to the private key:
  6. MyCert.pem can now be removed. It is not required anymore.
  7. You can use ssh-keygen to create the line to put into your remote ~/.ssh/authorized_keysfile:
Ssh X509

Ssh-keygen X509

X509v3-sign-rsa

Now you are ready to take your shiny new login stuff for a test drive and log into your remote account via:

And to put the cherry on top you can tell ssh to always use that key with the host in question by adding the following block to your client’s ~/.ssh/config file:

Ssh Vs X509

This makes login even easier: