Thus said Ken Hornstein on Sat, 24 Sep 2016 11:49:08 -0400:
> Well, technically, ssh does not deal in certificates - they deal with
> keys. They do not have an expiration date. If you need to rekey an ssh
> server, the world falls apart.
Technically, OpenSSH does have support for certificate authorities, so
one need not have the world fall apart, but I don't know how common is
it in use:
CERTIFICATES
ssh-keygen supports signing of keys to produce certificates that may be
used for user or host authentication. Certificates consist of a public
key, some identity information, zero or more principal (user or host)
names and a set of options that are signed by a Certification Authority
(CA) key. Clients or servers may then trust only the CA key and verify
its signature on a certificate rather than trusting many user/host keys.
Note that OpenSSH certificates are a different, and much simpler, format
to the X.509 certificates used in ssl(8).
Andy
--
TAI64 timestamp: 4000000057e6b8fe
_______________________________________________
Nmh-workers mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/nmh-workers
