Why SSH Key Management Is Broken and How Certificates Fix It
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
SSH certificates vs keys; deep infrastructure security with immediate applicability.
SSH certificate-based authentication, available in OpenSSH since version 5.4 (2010), solves scaling issues by using a Certificate Authority (CA) model. Deploy separate user and host CAs to sign keys with expirations (e.g., ssh-keygen -s host_ca -h -V +52w), then configure servers with HostCertificate and clients with @cert-authority in known_hosts to eliminate manual key distribution and host fingerprint prompts.
Replace authorized_keys with SSH certificates by establishing separate user and host CAs, signing keys with bounded validity, and configuring sshd/known_hosts to trust only the CA.
As a senior engineer managing cloud infrastructure and developer tooling, replacing manual SSH key sprawl with certificate-based auth directly reduces operational overhead and security risk in team access and host trust workflows.