How to setup CA Certificate authority with OpenSSH in CentOS 7

  • You should first create CA keys on the certificate authority ca server as root:

ssh-keygen -f ca_server

  • Check with ls to see if files are created in the current working directory. Following files will be present.

ca_server ca_server.pub

  • Sign the host key of the ca server itself.

ssh-keygen -s ca_server -I host_auth_server -h -n ca_server.seimaxim.com -V +52w /etc/ssh/ssh_host_rsa_key.pub

Signed host key /etc/ssh/ssh_host_rsa_key-cert.pub: id "host_auth_server" serial 0 for ca_server.example.com valid from 2021-01-01T12:00:00 to 2022-01- 01T12:00:00

  • In the next step, use scp to copy the host key from the ssh server to ca server as follows:

scp root@sshserver.seimaixm.com:/etc/ssh/ssh_host_rsa_key.pub .

  • On the ca server, using the method as above, create a certificate from /etc/ssh/ssh_host_rsa_key.pub file.

sh-keygen -s server_ca -I host_sshserver -h -n sshserver.seimaxim.com -V +52w ssh_host_rsa_key.pub

  • Copy the generated ca certificate file to ssh server with scp as follows:

scp ssh_host_rsa_key-cert.pub root@sshserver.seimaxim.com:/etc/ssh/

  • Now on both ca server and ssh server adds the following line to /etc/ssh/sshd_config file.

HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

  • Reload ssh

systemctl reload sshd

  • Repeat all steps in bold text above on all ssh servers to which the clients want to connect.
  • Confirm certificate of ssh server from the ssh client system.

cat ca_server.pub

  • The output of the above command should be:

ssh-rsa
CVBGHNB3NzaC1yc2EAAAADAQABAAJKJKJKJJJJJJUKJHJhcNeRD3dKh0L1opw4/LQJcUPfRj07E3ambJfK+G4gfrKZ/ju0nanbq+XViNA4cpTIJq6xVk1uVvnQVOi09p4SIyqffahO9S+GxGj8apv7GkailNyYvoMYordMbIx8UVxtcTR5AMAXJM6GdIyRkKxZm1r9tsVPraaMOsKc++8isjJilwiQAhxdWVqvojPmXWE6V1R4E0wNgiHOZ+Wc72nfHh0oivZC4/i3JuZVH7kIDb+ugbsL8zFfauDevuxWeJVWn8r8SduMUVTMCzlqZKlhWb4SNCfv4j7DolKZ+KcQLbAfwybVr3Jy5d
root@ca_server

  • On ssh client edit ~/.ssh/known_hosts file. Delete all data from this file and add the following entry that specifies the public key to check the certificate that ssh server will present to ssh client during login.

@cert-authority *.seimaxim.com ssh-rsa
CVBGHNB3NzaC1yc2EAAAADAQABAAJKJKJKJJJJJJUKJHJhcNeRD3dKh0L1opw4/LQJcUPfRj07E3ambJfK+G4gfrKZ/ju0nanbq+XViNA4cpTIJq6xVk1uVvnQVOi09p4SIyqffahO9S+GxGj8apv7GkailNyYvoMYordMbIx8UVxtcTR5AMAXJM6GdIyRkKxZm1r9tsVPraaMOsKc++8isjJilwiQAhxdWVqvojPmXWE6V1R4E0wNgiHOZ+Wc72nfHh0oivZC4/i3JuZVH7kIDb+ugbsL8zFfauDevuxWeJVWn8r8SduMUVTMCzlqZKlhWb4SNCfv4j7DolKZ+KcQLbAfwybVr3Jy5d
root@ca_server

  • The client machine will not ask about trusting the remote host to connecting to the ssh server for the first time using FQDN. The main reason is that the ssh server has shown its host certificate to ssh client, signed by the certificate authority ca server by checking the known_hosts file and verifying that the certificate is legit.

How to set certificate authority CA for the user account

  • On the ca_server, create new keys to sign user certificates as follows:

ssh-keygen -f ca_users

  • Configure ca_server to accept logins with user certification. Use scp to copy the public key to each of ssh servers that will validate the authenticity of the user.

scp users_ca.pub root@sshserver.example.com:/etc/ssh/

  • Add below line to /etc/ssh/sshd_config file on ssh server. This should be added after HostCertificate key as follows:

TrustedUserCAKeys /etc/ssh/ca_users.pub

  • Restart sshd server with systemctl restart sshd
  • Copy client key to the ca_server as follows:

scp <username>@client.seimaxim.com:~/<username>/.ssh/id_rsa.pub

ssh-keygen -s ca_users -I <user_username> -n <username> -V +52w id_rsa.pub

  • On ca server, id_rsa-cert.pub file will be generated that needs to be copied back to the client machine.

scp id_rsa-cert.pub username@client.seimaxim.com:/home/username/.ssh/

  • At this stage, if you log in to ssh server from the client machine, it should not require authentication, even if a login has not been done before to this ssh server as this user.

Leave a Reply

Your email address will not be published. Required fields are marked *