I manage a SSH server and I want to validate it when clients tries to authenticate.
I've read a couple of tutorial (How To Create an SSH CA to Validate Hosts and Clients with Ubuntu and USING OPENSSH CERTIFICATE AUTHENTICATION). Both describe how I can use a self signed CA to sign my SSH server pub key. But in this case I already have a CA certificate from GeoTrust, and I'd like to use it.
Is it correct to follow the usual procedure in order to sign the ssh_host_rsa_key.pub file?
Thanks in advance.
Best Answer
The guides you are referring to talks about OpenSSH certificates and NOT x509 certificates like the ones you can get from GeoTrust. These are a very different things.
If you want to use the OpenSSH method (which I really like and use myself both at work and privately. Even facebook uses it: https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/) you will use a regular private ssh key to sign your server keys. There is no CA certificate in play using this method, only a private key.
Just create a new keypair using ssh-keygen and be sure to keep the private key secret. Then you can follow the guides you are referring to, to sign your hostkeys. I have also written a guide myself that you can find here: https://framkant.org/2016/10/setting-up-a-ssh-certificate-authority-ca/
When the hostkeys are signed you can just tell your clients to trust the public part of your "signing key" but putting something like this in the known_hosts file: