SSH Certificate Authority

KeyGridSSH CA

Replace static SSH keys with short-lived certificates bound to corporate identity. HSM-backed signing. OIDC/SSO integration. Automatic revocation. One trust anchor per server instead of thousands of keys.

Part of the KeyGrid PKI Platform: Integrated with X.509 CA, HSM, multi-tenancy, and audit infrastructure

Static SSH Keys Are a Liability

The average enterprise has more SSH keys than employees, with no inventory, no expiration, and no way to revoke access quickly.

MetricStatic KeysSSH CertificatesImprovement
Credential lifetimePermanent8 hours99.97% reduction
Revocation speedHours to daysSeconds~1000x faster
Server-side configPer-user authorized_keysOne CA trust anchorConstant complexity
Audit trailNoneFullComplete visibility
Offboarding effortTouch every serverDisable IdP accountZero server changes
Capabilities

Everything You Need for SSH Certificate Management

HSM-Backed Signing

SSH CA signing keys are generated and stored in hardware security modules -- never extractable

  • Ed25519, ECDSA P-256/P-384, RSA-4096
  • AWS KMS, Azure Key Vault, PKCS#11
  • Key rotation with grace periods
  • FIPS 140-2 capable HSM support

Short-Lived Certificates

Default 8-hour validity for user certs replaces permanent SSH keys that never expire

  • Configurable 30min to 365 days
  • Automatic expiry eliminates key sprawl
  • Per-CA default and maximum validity
  • Clock skew tolerance built in

OIDC / SSO Integration

Developers authenticate via corporate SSO and receive an SSH certificate automatically

  • Any OIDC provider (Okta, Azure AD, Google)
  • Claims-to-principals mapping
  • Group-based principal assignment
  • Browser-based flow with MFA support

KRL Revocation

Instant certificate revocation via OpenSSH Key Revocation Lists

  • Auto-regenerates on revocation
  • Binary OpenSSH KRL format
  • REST endpoint for server consumption
  • Short cert lifetimes minimize revocation need

Principal Policy Engine

Control which identities can request which SSH principals

  • OIDC claim mapping rules
  • LDAP group-based policies
  • Static principal assignments
  • Per-policy validity overrides

User & Host Certificates

Issue certificates for both interactive users and server host identity

  • User certs for developer access
  • Host certs for server verification
  • Eliminates TOFU (trust on first use)
  • Separate CAs for user and host

CA Key Rotation

Rotate the SSH CA signing key with zero disruption to existing certificates

  • New key generated in HSM
  • Old key retained for grace period
  • Existing certs valid until expiry
  • Automatic old key cleanup

Full Audit Trail

Every certificate issuance and revocation logged with complete context

  • Who requested, which principals
  • Authentication method used
  • Validity window and extensions
  • Searchable audit log with export

Server Configuration: Two Lines

Configure once per server. Trust one CA. No per-user key management.

/etc/ssh/sshd_config
# Trust user certificates signed by KeyGrid
TrustedUserCAKeys /etc/ssh/keygrid-user-ca.pub

# Revocation list (optional but recommended)
RevokedKeys /etc/ssh/keygrid-krl

Built for Real Infrastructure

Developer Production Access

Developers authenticate via SSO each morning and get an 8-hour certificate. When someone leaves, disable their IdP account.

  • OIDC/SSO authentication
  • Short-lived certificates
  • No server-side key management
  • Instant offboarding

CI/CD Pipeline SSH

Pipelines request scoped certificates valid for minutes with only the principals they need. No permanent deploy keys.

  • API-based cert issuance
  • 10-minute validity
  • Scoped to deploy principal
  • No secrets in CI config

Contractor & Vendor Access

Vendors authenticate via federated OIDC. 4-hour certificates with restricted principals. Remove IdP group to revoke.

  • Federated identity
  • Time-limited access
  • Principal restrictions
  • Zero server cleanup

Host Identity Verification

New servers get a host certificate at boot. Clients verify the host CA signature -- no more blindly accepting fingerprints.

  • cloud-init / Ansible integration
  • Eliminates TOFU risk
  • Automated provisioning
  • Host CA per environment

Deploy Your Way

Cloud-Hosted

No on-premises infrastructure. Servers trust KeyGrid CA and fetch KRLs from the API endpoint.

On-Premises

Full data residency. Uses your HSM infrastructure (PKCS#11, AWS CloudHSM, Azure Key Vault).

Hybrid

Production on-prem, dev/staging in the cloud. Multi-tenant isolation between environments.

SSH Was Designed in 1995.
Key Management Shouldn't Look Like 1995.

Short-lived certificates. Identity-driven access. Full audit trail. Deployed in minutes.