Introducing the 2024 PKI & Digital Trust Report     | Download the Report

Switch from Static Keys to Dynamic SSH Certificates with EJBCA 8.0

Tech Updates

Keyfactor is pleased to share the general availability of EJBCA 8.0. EJBCA is a flexible and scalable PKI platform that deploys anywhere, scales on demand, and secures even the most complex IT environments with identity for every workload, device, and human.

With EJBCA 8.0, organizations can now create a new CA type to issue SSH certificates. In this blog post, we’ll explore the benefits of using SSH certificates vs keys, and how to enable seamless, session-based SSH access with EJBCA. You can also check out the demo video below to see it in action!

Why Choose SSH Certificates vs Keys

Secure Socket Shell (SSH) has emerged as a trusted authentication and encryption method, where remote access to systems and secure data transmission is crucial. For decades, SSH Keys have been the go-to solution for decades, offering a robust approach to accessing and managing remote systems. However, despite their benefits, SSH Keys come with their fair share of challenges. 

We will dive into the limitations of SSH Keys and explore a superior alternative – SSH Certificates. By adopting SSH Certificates, organizations can enhance security, simplify key management, and mitigate potential risks. 

Challenges with SSH keys

While SSH Keys have been widely used, they present a set of obstacles that can hinder efficient operations and compromise security. Let’s take a closer look at some of the key challenges associated with SSH Keys: 

  1. Cumbersome Key Management: Maintaining SSH Keys within an organization can be daunting. Provisioning keys for new employees and de-provisioning them when someone leaves requires manual intervention, creating a time-consuming process for system administrators. Additionally, auditing the system for shared team SSH Keys and identifying their owners becomes increasingly complex as the number of keys grows. 
  2. Risk of Key Loss and Theft: SSH Keys, if not properly safeguarded, are susceptible to loss or theft. If a key is misplaced or stolen, it can grant unauthorized access to sensitive systems and expose the organization to security breaches. Recovering from such incidents involves thorough audits, re-pairing of public and private keys, and re-establishing secure access, which can significantly impact productivity. 
  3. Regulatory Compliance Challenges: Compliance with regulatory standards is critical for many organizations. Ensuring proper permissions, access controls, and audit trails for SSH Keys is imperative when regulatory issues arise. However, managing these requirements in a scalable and efficient manner poses a considerable challenge. 
  4. Limited Scalability: As organizations grow and the number of SSH Keys proliferates, key sprawl becomes a real problem. Cleaning up scattered and discarded keys can consume substantial time and effort for SSH operators. The lack of scalability in managing SSH Keys hampers operational efficiency and increases the risk of misconfigurations and security vulnerabilities. 

Fortunately, a solution exists to address these challenges and elevate the security and management of SSH authentication: Enter SSH Certificates. 

The Benefits of SSH Certificates

Now, let’s explore the benefits of using SSH certificates over SSH keys and the key features and advantages that Keyfactor EJBCA empowers. When comparing SSH certificates to SSH keys, the advantages are clear. SSH certificates provide a more comprehensive and secure approach to access control with EJBCA’s dedicated CA for SSH certificates.  

Dedicated CA for SSH Credentials

EJBCA provides a dedicated Certificate Authority (CA) specifically designed to issue SSH certificates for hosts and users. EJBCA recognizes the importance of managing SSH credentials separately, ensuring efficient distribution to any person or system utilizing SSH. With EJBCA, the need for manual trust establishment by users when accessing servers is eliminated, simplifying the authentication process and enhancing user experience. 

Simplified Trust Management

Efficiency and security go hand in hand when managing trust within a CA. EJBCA excels in this area by offering robust features that streamline trust management across the entire PKI ecosystem. This includes seamless integration with identity access managers or other systems through a REST API, allowing organizations to achieve a smooth and secure workflow for privileged access management. With EJBCA, trust becomes a manageable and efficient aspect of your security infrastructure. 

Session-Based Access & SSH Certificate Issuance

EJBCA supports session-based SSH certificate issuance, a revolutionary approach to access control. When an individual requires access to a server, EJBCA can rapidly issue a short-lived SSH certificate, typically valid for a predefined period, such as 30 minutes. These certificates automatically expire after the specified time, ensuring access remains valid only for the necessary duration. This feature enhances security by minimizing the risk of unauthorized access beyond the session’s scope. Easily integrate your privilege accessed management system with the EJBCA REST API. 

Planning for the Future: Migrating to ED25519 Keys

Planning for the future and staying ahead of evolving threats is crucial to managing certificates effectively. EJBCA enables organizations to migrate from traditional RSA keys to the more secure ED25519 Keys. These keys are post-quantum cryptography-compatible, offering enhanced security and preparing your systems for future cryptographic challenges. With EJBCA, you can ensure your security infrastructure is resilient and future-proof. 

Mitigating Expired Certificate Risks

Expired certificates pose a significant security risk, particularly when privileged access keys are left unattended after an employee’s departure. However, EJBCA addresses this concern through session-based authentication with expiring keys. By automatically invalidating credentials after a specified timeframe, EJBCA mitigates the risk of unauthorized access and potential exploitation by malicious actors.  

Let's Wrap It Up

SSH Certificates offer an effective, secure, and efficient solution to the challenges posed by SSH Keys. By utilizing SSH Certificates, organizations can simplify key management, enhance security, and mitigate potential risks. With dedicated SSH Certificate Authorities in EJBCA, organizations can enjoy the benefits of simplified trust management, session-based certificate issuance, and the ability to migrate to more secure keys. The automated expiration of credentials reduces the risk of unauthorized access, ensuring a resilient and future-proof security infrastructure. 

By embracing SSH Certificates, organizations can elevate their SSH authentication and encryption practices, bolstering their overall security posture in the ever-evolving digital landscape. 

Ready to level up your SSH game?

To try EJBCA today, start a free trial on AWS or Azure.  

Learn more about the features in EJBCA 8.0 release notes.