Hello all, How to Set up a Certificate Authority (CA) Server to enable certificate-based authentication for SSH Servers.
Thanks in advance. 
Computeman
Configure the Certificate Authority (CA) Server
Install SSH on the CA server as follows.
yum install -y openssh-server openssh-clients
Set up a dedicated working directory for the CA and switch into it.
mkdir /root/ssh_cert
cd /root/ssh_cert
Generate a CA key as follows.
ssh-keygen -f cert_ca
Verify the key fies.
ls
The output should be.
cert_ca cert_ca.pub
Copy the CA public key to the SSH Server
On the CA server execute.
scp cert_ca.pub root@sshserver:/etc/ssh/
Replace sshserver with the actual hostname or IP address of your SSH server.
Configure the SSH server to trust the CA key
On the SSH server, execute.
# vi /etc/ssh/sshd_config
And add the following line.
TrustedUserCAKeys /etc/ssh/cert_ca.pub
Save the changes and restart SSH service.
# systemctl restart sshd
Generate an SSH key for the client user
On the CA server, execute.
# ssh-keygen -t rsa -b 4096 -f user1_id_rsa
Sign the client public key with the CA key
# ssh-keygen -s cert_ca -I user_user1 -n user1 -V +52w user1_id_rsa.pub
Output is as follows.
Signed user key user1_id_rsa-cert.pub: id "user_user1" serial 0 for user1 valid from 2026-04-17T10:09:00 to 2026-08-17T10:08:10
Where,
- ssh-keygen: The utility responsible for generating and managing SSH keys and certificates.
- -s cert_ca: Specifies cert_ca (the CA’s private key) as the signing key. SSH servers trust this CA to validate authentication.
- -I user_user1: Sets user_user1 as the certificate’s identity label, which helps in identifying and tracking the certificate.
- -n user1: Defines the username(s) this certificate is authorized for—in this case, it is restricted to user1 only.
- -V +52w: Sets the certificate’s expiration period to 52 weeks (one year), after which the certificate will no longer be valid.
- user1_id_rsa.pub: This is the public key that will be signed. The output will be a new certificate file:(user1_id_rsa-cert.pub).
Following files will be created.
ls
Output is as follows.
cert_ca.pub
cert_ca
user1_id_rsa.pub
user1_id_rsa
user1_id_rsa-cert.pub
Transfer the signed certificate along with the private key to the client server
On the CA Server run.
# scp user1_id_rsa user1_id_rsa-cert.pub root@clientserver:/home/user1/.ssh/
Replace clientserver with the real hostname or IP address of your client server.
Log in to the client machine and configure the appropriate permissions and ownership for the key files
On the client server run.
chown user1:user1 /home/user1/.ssh/user1_id_rsa
chown user1:user1 /home/user1/.ssh/user1_id_rsa-cert.pub
chmod 600 /home/user1/.ssh/user1_id_rsa
chmod 644 /home/user1/.ssh/user1_id_rsa-cert.pub
Connect to the SSH server using the signed certificate.
ssh -i .ssh/user1_id_rsa sshserver
Substitute sshserver for your actual SSH server name or IP Address.
Verify authentication
Check the /var/log/secure file on the SSH server.
cat /var/log/secure | grep user1
Expected output is.
Accepted publickey for user1 from 192.168.1.44 port 4598 ssh2: RSA-CERT SHA256:LdkD86 ID user_user1 (serial 0) CA RSA SHA256:Ej9T8M
Notice the RSA-CERT reference, which confirms that user1 is authenticating using the CA-signed certificate.
This configuration enables a dedicated CA server to handle SSH certificate signing, while all SSH servers are set to trust that CA for verifying authentication.
Let me know if you need more info or needs troubleshooting.
Bye 