Generate SSH Host Key Certificate on Ubuntu Linux

Securing SSH connections with host key certificates eliminates “unknown host” warnings and protects users from man-in-the-middle attacks. This guide provides a straightforward, step-by-step walkthrough on how to set up an SSH Certificate Authority (CA), sign an Ubuntu Linux server’s host key, and configure the SSH daemon to present the resulting host key certificate to connecting clients.

Step 1: Create the SSH Certificate Authority (CA) Key Pair

The SSH CA should be created and stored on a highly secure, isolated administrator machine, not on the public Ubuntu SSH server itself.

Run the following command on your secure machine to generate the CA key pair:

ssh-keygen -t ed25519 -f ssh_ca_key -C "My Company SSH CA"

This generates two files: * ssh_ca_key (the private key, which must be kept secret) * ssh_ca_key.pub (the public key, which will be distributed to clients)

Step 2: Retrieve the Server’s Public Host Key

You need to sign the Ubuntu server’s default host key. By default, these keys are located in /etc/ssh/ on your Ubuntu server.

Copy the server’s public ED25519 host key to your local CA machine:

scp user@your-ubuntu-server:/etc/ssh/ssh_host_ed25519_key.pub ./ssh_host_ed25519_key.pub

Step 3: Sign the Host Key with the CA

On your CA machine, sign the server’s public host key using your CA private key. Customize the domains and IP addresses in the principals list (-n) to match your server:

ssh-keygen -s ssh_ca_key -I "ubuntu-server-01" -h -n "example.com,192.168.1.50" -V +52w ssh_host_ed25519_key.pub

Understanding the flags: * -s ssh_ca_key: Specifies the CA private key to sign with. * -I "ubuntu-server-01": A key identifier for logging purposes. * -h: Specifies that this is a host certificate, not a user certificate. * -n "example.com,192.168.1.50": A comma-separated list of valid hostnames or IP addresses for the server. * -V +52w: Sets the certificate validity period (e.g., 52 weeks).

This command generates a signed certificate file named ssh_host_ed25519_key-cert.pub.

Step 4: Copy the Certificate to the Ubuntu Server

Upload the generated certificate file back to the /etc/ssh/ directory on your Ubuntu server:

scp ssh_host_ed25519_key-cert.pub user@your-ubuntu-server:/tmp/

On the Ubuntu server, move the certificate to the correct directory and set the appropriate file permissions:

sudo mv /tmp/ssh_host_ed25519_key-cert.pub /etc/ssh/
sudo chmod 644 /etc/ssh/ssh_host_ed25519_key-cert.pub
sudo chown root:root /etc/ssh/ssh_host_ed25519_key-cert.pub

Step 5: Configure the Ubuntu SSH Daemon

To force the SSH server to present the certificate to connecting clients, you must update the SSH configuration file.

Open /etc/ssh/sshd_config in a text editor:

sudo nano /etc/ssh/sshd_config

Add the following line to the file:

HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub

Save and close the file, then test the configuration for errors:

sudo sshd -t

If no errors are returned, restart the SSH service to apply the changes:

sudo systemctl restart ssh

Step 6: Configure SSH Clients to Trust the CA

For clients to connect without receiving host key warnings, they must trust your SSH CA.

Add the CA public key to the client’s ~/.ssh/known_hosts file. Open the file and append a line in the following format (replace the content with your actual ssh_ca_key.pub string):

@cert-authority *.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... My Company SSH CA

Replace *.example.com with the domain wildcard or specific IP addresses matching your server infrastructure. The client will now automatically trust any server presenting a valid host certificate signed by your CA.