Can I use a CA certificate to authenticate a SSH server?

Question

I manage a SSH server and I want to validate it when clients tries to authenticate. I've read a couple of tutorial (How To Create an SSH CA to Validate Hosts and Clients with Ubuntu and USING OPENSSH CERTIFICATE AUTHENTICATION). Both describe how I can use a self signed CA to sign my SSH server pub key. But in this case I already have a CA certificate from GeoTrust, and I'd like to use it.

Is it correct to follow the usual procedure in order to sign the ssh_host_rsa_key.pub file?

Thanks in advance.

Answer 1

The guides you are referring to talks about OpenSSH certificates and NOT x509 certificates like the ones you can get from GeoTrust. These are a very different things.

If you want to use the OpenSSH method (which I really like and use myself both at work and privately. Even facebook uses it: https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/) you will use a regular private ssh key to sign your server keys. There is no CA certificate in play using this method, only a private key.

Just create a new keypair using ssh-keygen and be sure to keep the private key secret. Then you can follow the guides you are referring to, to sign your hostkeys. I have also written a guide myself that you can find here: https://framkant.org/2016/10/setting-up-a-ssh-certificate-authority-ca/

When the hostkeys are signed you can just tell your clients to trust the public part of your "signing key" but putting something like this in the known_hosts file:

@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3pcm4IJGw76YKZSrf7pZA6s3Hu9eRzKbyzKPgg5OkBWU9ztUz2e1bXtR0UDqQKuOUx+ZDx6wmR3rVRM/BhYt1oeAv6rhxNRW2XPiakpn3EzuEWlbp68QRY8p+k6gjy7cnvF2uyaP0R0Ov819tTMHkdS3Rn57m7pfFk+tuRKLjJnQN2g6uxT+PBJonTQr2XcS5oAzwjel1x7xLqmz0MMrE98uE0GaZHxf/hioXOHt1ihzTF+GPqZ31ZrR3GIWtFEKtvcroaiS25VIV9W39LfVh7RRZTh8oCrjcEdoeFKUKA1PpqblsJhqg1XU2/xa9CAKb6SHb7gwQ18nUaQ/Sk6qYJMgkwWUtXbwS1RIm1k5QlKk8VD4H10jyqiAUBC8SHfNxnqOwKe275AfOVc/iuh4F2NsrIuHfh8tno5LqWSP63D3gXpXXm/4j3Sop2NqNz6EIqoqj0HPIL21/SneJgWXS7xxV/ShgnLVGB0dsJf8PsCnsVt0s5thO22VvE/IVQ1KM/ac1lEafBeSZsuPiOfcIeZu9mm4DfuoyqaHmnV6yBguW6zb894IdcYXsrVnMy3Hp85gnymEZn/qfPJ+dhNbBAANgjWphz5ZaBKdrpgCESz8Ka9S6V7fXr2ikB21YiUKB7XuoPjDncOokSEHU0p5iMQjE+Le7K3nOTtokhrZjXw==

Answer 2

Answer

You state, you own a CA certificate. If that is correct, so you own a 'Certificate Authority Certificate' aka. you own a certificate enabled for signing other certificates, you can.

If you own a certificate issued by GeoTrust as a normal SSL Certificate, you can not use it to sign the SSH server certificate. Check your informations from GeoTrust for more information what kind of cert you have.

If you have the second case, consider this and this solution to possibly convert the certificates.

Explanation

It is unlikely that you are in case 1. It would mean you own a trusted root or intermediate certificate trusted by your (public) clients (aka you could do the job of GeoTrust). This is only likely if you are in a closed environment (as an internal office network) and you own the certificate authority. In your question you state, you got your cert from GeoTrust, so I assume you fit within the second case.
There you may have to convert the certificates for them to have the right format, follow the links to see, if they solve your issue.

Answer 3

This should be a comment, but its too long.

From the way you present your question, you seem to be at the beginning of your journey using ssh and using certificates. Yes, it is possible to use x509 certificates with ssh, but this is a very esoteric configuration and you are way out of your depth here.

An x509 certificate is a signed public key along with prescribed meta-data presented in a prescribed format. You don't need to sign it.

Then there's the whole question of whether you use certificates from the client instead of key pairs.

But what is the point to all this? Do you have clients which validate against the meta-data in the certificate rather than the key itself? Care to share?