SecureBlackbox 16: X.509 Certificates and SSH


As described in SSH Authentication Methods, the SSH protocol does not define a standard for storing SSH keys (such as X.509, used in SSL). However, like X.509 certificates, SSH key pairs also have public and private parts and use RSA or DSA algorithms. This made it possible for some SSH software vendors to add X.509 support to recent versions of their SSH products.

How is X.509 used in SSH? X.509 certificates are used as a key storage: Instead of keeping SSH keys in a proprietary format, the software keeps the keys in X.509 certificates. When the SSH key exchange is done, the keys are taken from the certificates.

Benefits of Using X.509 Certificates

  • Standard data format
  • Easier management of the keys due to the presence of extra information contained in the certificates (subject name, custom extensions, etc.)
  • Possibility to restrict key validity time by using the Valid From and Valid To fields of the certificate
  • Possibility to revoke the certificate (claim it as no longer valid) and so block access

Using Certificates for SSH Authentication

The following sections detail the two ways to use X.509 certificates for SSH authentication.

  1. Full mode: In this mode the certificate is sent to the other side and is available to the other side for validation. Note that certificate chains are not supported.
  2. Key-only mode: In this mode the key pair is extracted from the certificate and used for SSH authentication.

Full Mode

In full mode, client and server follow the process below:

Key-Only Mode

In key-only mode the key pair is extracted from the certificate and used as an SSH key. The client-to-server process is below, and server-to-client authentication is done in the same way.

  1. The client takes the key pair from its certificate and private key.
  2. The client sends the public key to the server.
  3. The server validates the key by searching for the corresponding certificate and validating the certificate.

As you can see, key-only mode is more complicated. However, it makes use of the X.509 infrastructure possible with SSH software, which does not work with certificates.

In SecureBlackbox X.509 certificates are represented by the TElX509Certificate class and SSH keys are represented by the TElSSHKey class:

  • To create a X.509 certificate for use with the SSH components, use the TElX509Certificate.Generate method.
  • To take the key pair from TElX509Certificate for use with SSH, use the TElSSHKey.Import method.
  • To access the certificate from which the key was created, use the TElSSHKey.Certificate property.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.