Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Support for SSH Certificates (2024)
This question came up a couple of times in 2022, but it didn't look like anything was resolved. Since it's been two years...
For those unfamiliar with the concept, SSH certificates are host and user public keys, signed by your own internal SSH CA, that ease key approval and distribution, especially in large-scale environments. Once a user has created a public-private key-pair, the public key is signed by an (internal) SSH CA. The user then uses ssh-add to add the public key and, if present, the certificate file to the user's ssh agent. https://smallstep.com/blog/use-ssh-certificates/ of how SSH certificates work.
Using stock ssh-add and ssh-agent on Mac OS 14, we can see the public key and certificate both being added to the agent:
$ /usr/bin/ssh-add .ssh/id_ed25519
Enter passphrase for .ssh/id_ed25519:
Identity added: .ssh/id_ed25519 (<REDACTED>)
Certificate added: .ssh/id_ed25519-cert.pub (chris)
A remote host, when properly configured, will verify that my user certificate has not expired (expiration and inception times) and was issued by a trusted CA, whose key would have already been added to the server. This eliminates the need for me to maintain an authorized_keys file on the remote end.
I was hoping to be able to store these keys in 1Password. That certainly works; however, 1Password does not support certificates in neither the user interface nor the ssh agent. 1Password derives public keys from private keys but does not provide a way for the user to upload the certificate file, above and beyond attaching an arbitrary file. The ssh agent behind the scenes presumably also does not support certificates. For the moment, I have configured my ssh client to use the stock ssh-agent for the host that uses certificates, while everything else can go through 1Password.
Are there any plans to add support to the 1Password user interface and to the underlying ssh agent for certificates? Thanks!
1Password Version: 8.10
Extension Version: Not Provided
OS Version: macOS 14.2.1
Browser: Not Provided
11 Replies
I wanted to add to this a bit, first to share our use case in case it helps, secondly to share a partial workaround, and lastly to add my voice to the people wanting this feature.
We use SSH Certificate Authentication with Vault/OpenBao as the SSH CA. Our users will request certificates for the specific user they need to log in as. The request flow is to send their public key to a signer endpoint that validates they have the appropriate rights to get a signature, and if successful, the certificate is issued and saved onto the requesting user's system. The certificates are short lived, but easy to re-acquire if they are a valid user.
As noted in the original post, SSH CA's make it trivial to manage a large number of SSH users without maintaining `authorized_keys` files on all the servers we operate.
With regard to how we operate and use SSH CAs, We script a lot of this to make it easy, but the generalized flow is:
bao login ... bao write -field=signed_key ssh/sign/docker public_key=@/Users/foo/.ssh/id_ed25519.pub > /Users/foo/.ssh/id_ed25519-cert.pubNote, I could use `op run` to get the Public Key from 1Password, but did not want to complicate the example more.
I can use this flow with 1Password's `ssh-agent` if I do the following in my `~/.ssh/config`:
Host some-server Hostname ... User docker CertificateFile ~/.ssh/id_ed25519-cert.pub IdentitiesOnly yesThe `ssh` client will use the 1Password `ssh-agent` for the key, and read the certificate from the file. So I can log in using a certificate.
This breaks down on the remote host if I need to utilize something like `ssh-agent` Forwarding. Since the key was never available in the 1Password `ssh-agent`, it is not available in the forwarded set of credentials.
So, it partially works, but it is an imperfect solution.
Ideally, I would love to see one of the following as a solution to this:
- Some way to note in `~/.config/1Password/ssh/agent.toml` that local certificate files should be forwarded if they match a key already in the agent
- Some way to store the certificate in 1Password. If the "SSH Key" secret type could be extended to also allow attaching a certificate file or the contents, I could change the flow I demonstrated above to use `op` to update the key entry.
Lastly, I would love to push 1Password-based `ssh-agent` out more broadly to my colleagues. It would be great to have another layer of MFA by virtue of using 1Password. But the lack of support for certificates in 1Password make it impossible for us to use this outside testing.
Yeah the ~/.ssh/config solution is what i’m currently using however as you mention it’d be great to have 1 password handle it all
I would absolutely love this as well!
Please do consider the feature request!
Thanks so much for such a great product. I love it.This would be great and is the one thing missing in my opinion! +1
I’m here in 2025 to say that this feature may not be in high demand, but without it I am still unable to use 1Password for SSH. That is very very frustrating.
Adding support for SSH certificates would be amazing.
More and more companies are using them to secure SSH connections via MFA, and the lack of support is preventing me fully moving to using the 1Password SSH agent.
Lack of support for this is stopping me from implementing certificate-based auth'n to my production environments - in almost all other respects, 1Password's SSH agent is too good to give up.
+1 for this, since my request from mid 2022 got closed.
Vote for this!
Thanks to projects like step-ca and Hashicorp Vault, hosting a custom PKI is super easy nowadays, and more and more organizations are adapting SSH certificates as main authenticate solution.
It will be a killing feature among all other password managers since no one seems support SSH cerificate by now.
We'd love this too. I believe you need to have the certificates added to the agent to be able to use agent forwarding with certificates; and this currently doesn't work with the 1password setup (which we otherwise really enjoy and actively use)!
