X.509 certificates and SSH

As described in SSH Authentication Methods article, SSH protocol doesn’t define a standard for storing SSH keys (such as X.509, used in SSL). However, like X.509 certificates, SSH key pairs also have public and private parts and use RSA or DSA algorithms. This made it possible for some SSH software vendors to add X.509 support to recent versions of their SSH products.

How is X.509 used in SSH? X.509 certificates are used as a key storage, i.e. instead of keeping SSH keys in proprietary format, the software keeps X.509 certificates. When SSH key exchange is done, the keys are taken from certificates.

The benefits of use X.509 certificates are:

  • Standard data format;
  • Easier management of the keys due to presence of extra information, contained in certificates (subject name, custom extensions);
  • Possibility to restrict key validity time by using Valid From and Valid To fields of the certificate;
  • Possibility to revoke the certificate (i.e. claim it as no longer valid) and so to block access

There are two ways to use certificates for SSH authentication:

  1. Full mode. In this mode the certificate is sent to the other side and is available for the other side for validation. Note, that certificate chains are not supported.
  2. Key-only mode. In this mode the key pair is extracted from the certificate and used for SSH authentication.

Use of certificate in “full” mode is done as follows:

  • The client sends the certificate to the server.
  • The server validates the certificate following the procedure, defined for X.509 certificate validation (read "Validation of X.509 certificates" article for details).

In “key-only” mode the key pair is extracted from the certificate and used as an SSH key.

So use of certificate in key-only mode is done in the following manner:

  1. The client takes the key pair from its certificate and private key
  2. The client sends public key to the server
  3. The server validates the key by searching for corresponding certificate and validating the certificate (read "Validation of X.509 certificates" article for details).

Server-to-client authentication is done in the same way.

As you can see, key-only mode is more complicated. However, it makes use of X.509 infrastructure possible with SSH software, which doesn’t work with certificates.

In SecureBlackbox X.509 certificates are represented by TElX509Certificate class and SSH Keys are represented by TElSSHKey class. To create X.509 certificate for use with SSH components you should use TElX509Certificate.Generate method. To take the keypair from TElX509Certificate for use with SSH, use TElSSHKey.Import method. To access the certificate, from which the key was created, use TElSSHKey.Certificate property.

Ready to get started?

Learn more about SecureBlackbox or download a free trial.

Download Now