SSH – How to Revoke an SSH Certificate

sshssh-keys

I've generated an ssh certificate like this:

ssh-keygen -f ca_key # generate a ssh keypair for use as a certificate
generate a host key ssh-keygen -s ca_key -I cert_identifier -h host_key.pub
specify the host key in the server's sshd config file: TrustedUserCAKeys /etc/ssh/ssh_cert/host_key.pub
generate a local certificate to access the host using an ssh certificate: ssh-keygen -s ca_key -I cert_identifier user_key.pub. This should generate user_key-cert.pub

I can now log into the server using ssh -i user_key user@host (which uses user_key-cert.pub). How can I revoke the certificate other than disabling the TrustedUserCAKeys file?

Best Answer

sshd_config has a RevokedKeys file. You can list multiple keys or certificates in it, one per line. In the future, OpenSSH will support revocation by certificate serial number, which will make for much smaller revocation lists.

Best Answer

Related Solutions

SSH Authentication – Use Only Password and Ignore SSH Key

SSH host key is not regenerated after reboot

Related Topic