When working with SSH certificate authentication, revocation presents unique challenges compared to traditional key-based authentication. Here's why:
- Certificates contain validity periods (set via
-Vflag during generation) - Revocation requires explicit mechanisms beyond simply removing keys
The most effective approaches for certificate revocation in OpenSSH:
1. Certificate Revocation List (CRL)
Create a revocation list file containing serial numbers or key IDs:
# Generate initial empty revocation list touch /etc/ssh/revoked_certs # Add to sshd_config RevokedKeys /etc/ssh/revoked_certs
To revoke a specific certificate:
# Add certificate's key ID (from -I parameter) to revocation file echo "cert_identifier" >> /etc/ssh/revoked_certs # Reload sshd systemctl reload ssh
2. Shortening Validity Periods
When generating certificates, always specify explicit validity:
ssh-keygen -s ca_key -I cert_id -V +1d user_key.pub
For larger deployments, consider OpenSSH's OCSP-like verification:
# In sshd_config CASignatureAlgorithms ssh-rsa-cert-v01@openssh.com RevocationCheck yes
Complete workflow for certificate issuance and revocation:
# CA setup ssh-keygen -t ed25519 -f ca_key # Generate user cert (valid 2 days) ssh-keygen -s ca_key -I alice@2023-12-01 -V +2d user_key.pub # Revoke when needed echo "alice@2023-12-01" >> /etc/ssh/revoked_certs ssh-keygen -k -f /etc/ssh/revoked_certs
Check if a certificate is revoked:
ssh-keygen -Q -f /etc/ssh/revoked_certs user_key-cert.pub
When working with certificate-based SSH authentication, revocation becomes crucial for security maintenance. Unlike traditional public key authentication, certificates provide additional flexibility but require proper revocation mechanisms.
The standard SSH certificate workflow you've implemented (CA signing both host and user certificates) lacks built-in revocation capabilities. Let's examine your current setup:
# Current certificate generation flow
ssh-keygen -f ca_key
ssh-keygen -s ca_key -I cert_identifier -h host_key.pub
ssh-keygen -s ca_key -I cert_identifier user_key.pub1. Using Revocation Lists
The most effective method is implementing certificate revocation lists (CRLs) through OpenSSH's RevokedKeys directive:
# Create a revocation list
echo "serial: 1234" > /etc/ssh/revoked_keys
# Configure sshd_config
RevokedKeys /etc/ssh/revoked_keys
TrustedUserCAKeys /etc/ssh/ssh_cert/ca_key.pub2. Certificate Expiration Control
When generating certificates, always set expiration dates for better control:
# User certificate with 1-day validity
ssh-keygen -s ca_key -I "user_cert" -V +1d -n user1 user_key.pub
# Host certificate with weekly rotation
ssh-keygen -s ca_key -I "host_cert" -h -V +7d host_key.pub3. Principle-Based Revocation
For fine-grained control, revoke access by specific principles associated with certificates:
# Generate certificate with specific principles
ssh-keygen -s ca_key -I "ops_team" -n "admin,deploy" ops_key.pub
# Revoke by modifying the CA's allowed principles
# /etc/ssh/ca_allowed_users:
admin
deploy
# Remove compromised principle namesFor environments requiring real-time revocation, implement a script-based solution:
#!/bin/bash
# revoke_cert.sh
SERIAL=$1
echo "serial: $SERIAL" >> /etc/ssh/revoked_keys
systemctl reload sshdUsage example for revoking certificate with serial 5678:
./revoke_cert.sh 5678- Always generate certificates with serial numbers for tracking
- Implement short-lived certificates in production
- Maintain a centralized logging system for certificate usage
- Consider using HashiCorp Vault for advanced SSH certificate management