1

Before I proceed to testing this myself I wanted some clarity. I have a basic understanding of SSH and Cryptography but not completely sure about this plan. I want to implement a key rotation policy by enforcing that end user keys are only valid for 90 days, but I don't want to rotate my CA. Let's see this scenario (apologies if naive):

  1. I have a CA for my startup
  2. I sign keys for my end users (let's assume they generate the CSR)
  3. I provide them a valid SSH Key
  4. My CA Cert expires on 01/01/2030

From what I understand the expiration policy of the end user key is part of the CSR, so I can only reject the CSR but not change the key parameters like expiry. Is this assumption correct?

So I would have to instruct users to generate CSR with a limit following the rules, so then I could sign the request. But I can either sign or reject the request, but not provide the key with the expiration that I want to impose correct?

Thank you in advance.

bitoiu
  • 111
  • 2
  • I have some vocabulary questions. As you are speaking of CA and CSR, I would assume that you manage X509 certificates, where the key pairs are generated by the users, but you later say *I provide them a valid SSH Key*. Is is really a SSH Key or a X509 certificate? – Serge Ballesta Feb 11 '21 at 13:29
  • That's my bad. I'm thinking of SSH only here. These keys would be to access systems over SSH (22). – bitoiu Feb 11 '21 at 14:30
  • Neat. I didn't even know that ssh _could_ use X.509 certificates. – Mike Ounsworth Feb 11 '21 at 14:33
  • I apologise If I'm asking an impossible question to start with. Can I simply just provide the key pair to the user without then sending me a CSR? And in that case I bet I could define the expiry on the individuals keys as I see fit. – bitoiu Feb 11 '21 at 14:37
  • The more I read here, the less I understand. AFAIK, the validity period should not even be present in a CSR. And anyway, the CA can set it in an X509 certificate. Said differently, the expiration policy is not part of the CSR but is under the control of the CA. – Serge Ballesta Feb 11 '21 at 14:44
  • @MikeOunsworth: _OpenSSH_ (only) has its own nonstandard kind of certificates; see https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys and https://man.openbsd.org/ssh-keygen#CERTIFICATES . bitoiu: If you do mean OpenSSH, that doesn't use any CSR; just get the plain-unsigned .pub file and apply ssh-keygen to create -cert.pub. You don't need and shouldn't get someone else's privatekey. – dave_thompson_085 Feb 12 '21 at 06:22
  • Thank you Dave. I understand my question is not the best in this area, I'm outside my area of expertise, but thank you for the help. – bitoiu Feb 12 '21 at 07:50

0 Answers0