A trusted certificate is one that is purchased from a trusted certificate authority (CA), such as www.verisign.com. Internet facing production applications should use a certificate from a trusted CA. For non-production applications, a self-signed certificate can be used. Applications, such as PuTTY, will complain when a self-signed certificate is used.
The ssh-keygen command is used to create a public certificate and private key pair. Three files will be created:
|Type of file||File name|
|Private Key||id_rsa or id_dsa|
|Public Certificate||id_rsa.pub or id_dsa.pub|
The -t (type) option can be used to specify the type, such as -t rsa or -t dsa. When prompted where to save the file, press enter to use the default file name and directory, or type your preferred directory and file name.
[root@server1 ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/jeremy.canfield/.ssh/id_rsa):
It is always recommended to secure the keypair with a strong, unique passphrase.
Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase):
The public certificate and private key are created.
Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: a6:4e:fd:17:67:69:19:b5:22:0a:16:53:cf:47:b3:b3 root@server1 The key's randomart image is: +--[ RSA 2048]----+ | .. o | | o o . o .| | o o + ..| | o ...+. | | . S . .E.+ | | + . . * | | o . = | | o . . | | . .. | +-----------------+
If your SSH server is OpenSSH, you can add the public certificate to the authorized_keys file on the OpenSSH server. If the OpenSSH server is configured to accept connection using a public / private key pair, you should be able to connect to the OpenSSH server with the public / private key pair you just created.