NetStacksNetStacks
Get Started

SSH Certificates

Use SSH certificates for zero-standing-privilege device access.

Overview

SSH certificates provide short-lived, scoped access to devices without distributing permanent keys or passwords.

Benefits

  • Certificates expire automatically (configurable TTL)
  • No need to manage authorized_keys on devices
  • Central revocation capability
  • Fine-grained access control
  • Complete audit trail

CA Setup

  1. Navigate to Credentials → SSH CA
  2. Click Generate CA
  3. Configure CA settings (key type, validity)
  4. Download CA public key
Note

The CA private key never leaves the Controller. Only public key is distributed to devices.

Device Configuration

Configure devices to trust the NetStacks CA:

Linux/Unix Devices

  1. Copy CA public key to device
  2. Add to /etc/ssh/sshd_config: TrustedUserCAKeys /etc/ssh/netstacks-ca.pub
  3. Restart sshd

Network Devices

Certificate support varies by platform. Check vendor documentation for SSH CA configuration.