Thus said Ken Hornstein on Sat, 24 Sep 2016 11:49:08 -0400:
Well, technically, ssh does not deal in certificates - they deal with
keys. They do not have an expiration date. If you need to rekey an ssh
server, the world falls apart.
Technically, OpenSSH does have support for certificate authorities, so
one need not have the world fall apart, but I don't know how common is
it in use:
CERTIFICATES
ssh-keygen supports signing of keys to produce certificates that may be
used for user or host authentication. Certificates consist of a public
key, some identity information, zero or more principal (user or host)
names and a set of options that are signed by a Certification Authority
(CA) key. Clients or servers may then trust only the CA key and verify
its signature on a certificate rather than trusting many user/host keys.
Note that OpenSSH certificates are a different, and much simpler, format
to the X.509 certificates used in ssl(8).
Andy
--
TAI64 timestamp: 4000000057e6b8fe
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers