Introduction
In today’s blog post, we’ll cover how to create and use a self-made certificate to connect to SSH, primarily focusing on the process using Windows. We will also discuss where to store these certificates in an Ubuntu system, making sure your setup is secure and efficient.
Why Use Self-Made Certificates?
Using self-made certificates for SSH connections offers a higher level of security compared to traditional password authentication. Certificates ensure that only machines with the correct private key can connect, reducing the risk of unauthorized access.
Creating a Self-Made Certificate on Windows
Prerequisites
- OpenSSL installed on your Windows machine.
- Access to the terminal or command prompt.
- Administrative privileges.
Step-by-Step Guide
1. Install OpenSSL
Download and install OpenSSL from the official website. Follow the installation instructions provided on the site. You can use also WSL on windows – wsl -d Ubuntu
2. Generate the RSA Key Pair
Open the command prompt and run the following commands to generate a private key and a public key:
openssl genpkey -algorithm RSA -out private_key.pem -aes256
openssl rsa -pubout -in private_key.pem -out public_key.pem3. Create the Certificate
Next, create a certificate signing request (CSR) and sign it to create your certificate:
openssl req -new -key private_key.pem -out request.csr
openssl x509 -req -days 365 -in request.csr -signkey private_key.pem -out certificate.crt
4. Convert Certificate to PEM Format
openssl x509 -outform pem -in certificate.crt -out certificate.pem
Storing Certificates on an Ubuntu System
Directory Structure
On your Ubuntu system, you should store your SSH certificates in a secure directory. The typical directory for SSH keys and certificates is ~/.ssh/.
Transfer the Certificate
Use a secure method to transfer your certificate and key to the Ubuntu system. You can use SCP (Secure Copy Protocol) to transfer the files:
scp private_key.pem user@ubuntu_server:~/.ssh/
scp public_key.pem user@ubuntu_server:~/.ssh/
scp certificate.pem user@ubuntu_server:~/.ssh/
Set Permissions
Ensure the permissions are correctly set for the private key to maintain security:
chmod 600 ~/.ssh/private_key.pem
chmod 644 ~/.ssh/public_key.pem
chmod 644 ~/.ssh/certificate.pem
Configuring SSH to Use the Certificate
Edit the SSH configuration file on your Ubuntu server to use your new certificate for authentication:
sudo nano /etc/ssh/sshd_configAdd the following lines to specify the use of the certificate:
AuthorizedKeysFile ~/.ssh/authorized_keys
TrustedUserCAKeys ~/.ssh/certificate.pem
Restart the SSH service to apply the changes:
sudo systemctl restart sshd
Connecting to SSH with the Certificate
On your Windows machine, use an SSH client like PuTTY or the command prompt to connect to the Ubuntu server using your private key:
Using PuTTY
- Open PuTTY and navigate to
Connection > SSH > Auth. - Browse and select your private key file (
private_key.pem). - Return to the Session tab, enter your Ubuntu server’s IP address, and click Open.
Using Command Prompt
ssh -i path_to_private_key.pem user@ubuntu_server
Conclusion
Using self-made certificates for SSH connections enhances security and is a robust alternative to password-based authentication. While we focused on creating certificates in Windows, the principles apply across various operating systems, including Linux and macOS. By following the steps outlined, you’ll be able to securely connect to your SSH servers with your custom certificate.
Additional Resources
Feel free to leave your comments or questions below. Happy secure connecting!
