Article version: GitHub.com

About SSH certificate authorities

With an SSH certificate authority, your organization or enterprise account can provide SSH certificates that members can use to access your resources with Git.

Support for SSH certificate authorities is available with GitHub Enterprise Cloud and GitHub Enterprise Server 2.18+. For more information, see "GitHub's products."

An SSH certificate is a mechanism for one SSH key to sign another SSH key. If you use an SSH certificate authority (CA) to provide your organization members with signed SSH certificates, you can add the CA to your enterprise account or organization to allow organization members to use their certificates to access organization resources. For more information, see "Managing your organization's SSH certificate authorities."

After you add an SSH CA to your organization or enterprise account, you can use the CA to sign client SSH certificates for organization members. Organization members can use the signed certificates to access your organization's repositories (and only your organization's repositories) with Git. You can require that members use SSH certificates to access organization resources. For more information, see "Enforcing security settings in your enterprise account."

For example, you can build an internal system that issues a new certificate to your developers every morning. Each developer can use their daily certificate to work on your organization's repositories on GitHub. At the end of the day, the certificate can automatically expire, protecting your repositories if the certificate is later compromised.

When you issue each certificate, you must include an extension that specifies which GitHub user the certificate is for. For example, you can use OpenSSH's ssh-keygen command, replacing KEY-IDENTITY with your key identity and USERNAME with a GitHub username:

ssh-keygen -s ./ca-key -I KEY-IDENTITY -O extension:login@github.com=USERNAME ./user-key.pub

Organization members can use their signed certificates for authentication even if you've enforced SAML single sign-on. Unless you make SSH certificates a requirement, organization members can continue to use other means of authentication to access your organization's resources with Git, including their username and password, personal access tokens, and their own SSH keys.

Ask a human

Can't find what you're looking for?

Contact us