While OpenSSH certificate authentication works seamlessly in Linux environments, Windows presents unique challenges. The native OpenSSH implementation in Windows (as of 2023) lacks full certificate support, and alternative clients like PuTTY don't recognize OpenSSH-formatted certificates.
First, ensure you're using the built-in Windows OpenSSH client (Windows 10 1809+ or Windows Server 2019+):
# Verify OpenSSH version
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
# Install if missing
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
For temporary certificates, you can use this PowerShell script to convert and load certificates:
# Convert certificate to Windows-compatible format
$cert = Get-Content -Path "user_cert.pub" -Raw
$cert = $cert -replace "cert-authority ", ""
Set-Content -Path "user_cert_win.pub" -Value $cert
# Add to ssh-agent
ssh-add .\user_key
ssh-add -L | Select-String "cert:"
Here's how to authenticate using certificates with the Windows OpenSSH client:
# SSH connection using certificate
ssh -i "C:\path\to\private_key" -o CertificateFile="C:\path\to\user_cert.pub" user@host
# Alternative using ssh_config
Add-Content -Path "$env:USERPROFILE\.ssh\config" -Value @"
Host *
IdentityFile C:\path\to\private_key
CertificateFile C:\path\to\user_cert.pub
"@
For environments where native OpenSSH isn't sufficient:
- Windows Subsystem for Linux (WSL): Run a Linux OpenSSH client within WSL
- PowerShell Remoting: For internal systems, consider using PSRemoting with certificate authentication
- Third-party clients: MobaXTerm or WezTerm have better certificate support
For short-lived certificates, automate the renewal process:
# PowerShell script to fetch new certificate
$token = Get-CompanyAuthToken
Invoke-RestMethod -Uri "https://ca.example.com/new-cert" -Headers @{
Authorization = "Bearer $token"
} -OutFile "new_cert.pub"
# Verify certificate validity
ssh-keygen -L -f new_cert.pub | Select-String "Valid:"
Common issues and solutions:
# Error: "no such identity" - Usually path issues
Resolve-Path "~\ssh\private_key" | Select-Object -ExpandProperty Path
# Error: "certificate invalid" - Check time synchronization
Get-Date
w32tm /resync
While OpenSSH certificate authentication works seamlessly in Linux environments, Windows presents unique challenges. The core issue stems from:
- Native Windows OpenSSH implementation missing full certificate support
- PuTTY's inability to parse OpenSSH certificate format
- Lack of clear documentation for Windows-specific workflows
Since Windows 10 1809 and Windows Server 2019, OpenSSH is included as a Windows optional feature. Here's how to make it work with certificates:
# Install OpenSSH Client (admin PowerShell)
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
# Generate user key pair
ssh-keygen -t ed25519 -f $env:USERPROFILE\.ssh\admin_cert_key
# Get certificate signed by your CA (typically from internal portal)
# Certificate will be in $env:USERPROFILE\.ssh\admin_cert_key-cert.pub
# Configure ssh to automatically use the certificate
# Add to $env:USERPROFILE\.ssh\config:
Host *
IdentityFile ~/.ssh/admin_cert_key
CertificateFile ~/.ssh/admin_cert_key-cert.pubFor environments where native Windows OpenSSH lacks features:
# In WSL terminal:
sudo apt update && sudo apt install openssh-client
ssh-keygen -t ed25519 -f ~/.ssh/wsl_cert_key
# After obtaining certificate:
chmod 600 ~/.ssh/wsl_cert_key*
ssh -i ~/.ssh/wsl_cert_key user@hostFor short-lived certificates (common in enterprise environments):
# Check certificate expiration:
ssh-keygen -L -f admin_cert_key-cert.pub
# Output includes:
# Valid: from 2023-10-01T00:00:00 to 2023-10-02T00:00:00Common problems and solutions:
- Permissions errors: Ensure private key is 600 and in user's profile
- Certificate not detected: Verify CertificateFile directive in ssh_config
- Clock skew: Windows time must be synchronized with CA server
For system administrators managing multiple Windows clients:
# PowerShell script to deploy certificate auth:
$certAuthConfig = @"
Host *
IdentityFile $env:USERPROFILE\.ssh\admin_key
CertificateFile $env:USERPROFILE\.ssh\admin_key-cert.pub
"@
$configPath = "$env:USERPROFILE\.ssh\config"
if (-not (Test-Path $configPath)) {
New-Item -Path $configPath -ItemType File
}
Add-Content -Path $configPath -Value $certAuthConfig