How to check if a SSH server public key is signed by a Certificate Authority (CA)?
Jun 2, 4:15pm

To check if an SSH server's public key is signed by a Certificate Authority (CA), you need to verify the SSH host certificate associated with the key. SSH certificates are used to authenticate hosts (or users) and are signed by a CA, similar to how TLS/SSL certificates work.

Here’s how you can verify if an SSH server’s public key is signed by a CA:

1. Retrieve the SSH Server’s Public Key and Certificate

When connecting to an SSH server, the server may present:

  • A public key (e.g., ssh-rsa, ecdsa-sha2-nistp256, etc.)
  • A host certificate (e.g., ssh-rsa-cert-v01@openssh.com)

If the server uses a CA-signed certificate, the public key will be embedded in the certificate.

Check the Server’s Host Key and Certificate

Run the following command to fetch the server’s host keys and certificates:

bash
ssh-keyscan <hostname_or_ip> 2>/dev/null | ssh-keygen -Lf -
  • Replace <hostname_or_ip> with the server’s address.
  • This command retrieves the server’s host keys and attempts to parse them as certificates.

2. Look for Certificate Information

If the server uses a CA-signed certificate, the output will include:

  • Certificate type (e.g., host or user)
  • Signing CA (e.g., Signed by CA: yes)
  • Validity period
  • Principals (e.g., hostnames or usernames the certificate is valid for)

Example output for a CA-signed certificate:

text
<hostname_or_ip>:
        Type: ssh-rsa-cert-v01@openssh.com host certificate
        Public key: ssh-rsa AAAAB3NzaC1yc2EAAA...
        Signing CA: ssh-rsa AAAAB3NzaC1yc2EAAA... (using ssh-rsa)
        Valid: from 2024-01-01T00:00:00 to 2026-01-01T00:00:00
        Principals: myhost.example.com
        Critical Options: (none)
        Extensions: (none)
  • If you see Type: ... host certificate, the key is signed by a CA.
  • If you only see a plain public key (e.g., ssh-rsa AAAAB3...), it is not signed by a CA.

3. Verify the Certificate Against the CA’s Public Key

To explicitly verify the certificate, you need:

  • The CA’s public key (e.g., ca.pub)
  • The server’s host certificate (e.g., host-cert.pub)

Run:

bash
ssh-keygen -s /path/to/ca.pub -n myhost.example.com /path/to/host-cert.pub
  • -s: Path to the CA’s public key.
  • -n: Principal (hostname) to verify.
  • If the certificate is valid and signed by the CA, this command will succeed silently.

If the certificate is not signed by the CA, you’ll see:

text
host-cert.pub is not signed by the CA!

4. Check the Server’s SSH Configuration

On the SSH server, check /etc/ssh/sshd_config for:

ini
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
  • If this line exists, the server is using a CA-signed certificate.

5. Manual Inspection of the Certificate

You can also inspect the certificate file directly:

bash
ssh-keygen -Lf /path/to/host-cert.pub
  • This will display the certificate details, including the signing CA.

Summary Table

SSH CA Verification Methods
Fetch and parse host keys
ssh-keyscan <host> | ssh-keygen -Lf -
Certificate details or plain key
Verify with CA
ssh-keygen -s ca.pub -n host host-cert.pub
Silent success or error
Inspect certificate
ssh-keygen -Lf host-cert.pub
Certificate metadata

Key Takeaways

  • If the server’s public key is plain (e.g., ssh-rsa AAAAB3...), it is not signed by a CA.
  • If the server presents a certificate (e.g., ssh-rsa-cert-v01@openssh.com), it is signed by a CA.
  • Use ssh-keygen -Lf to inspect certificates and ssh-keygen -s to verify them against a CA.
Jun 2, 4:15pm

This is a shared conversation and may include unverified content that doesn't reflect Mistral AI's views. Login to resume chatting.

Vibe can make mistakes. Check answers. Learn more