Using SSH pubkey with multiple certificates

Question

I am using an SSH public key to connect to a number of servers. The servers use an SSH CA to manage authorized users. The basic concept is described here: https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu

So next to my usual id_rsa and id_rsa.pub files, I also have an id_rsa-cert.pub file which contains the certificate. All of this works pretty well, I can immediately log in to new machines that are configured to trust the CA key that was used to sign my key.

However, I now got my key signed by a different CA for a different set of machines. The question is now, how can I tell SSH that there are now two certificates for this key. From the documentation there seems to be no way to specify a second certificate file:

ssh(1) will try to load certificate information from the filename
obtained by appending -cert.pub to the path of a specified IdentityFile.

Simply appending the new certificate to this file (like you would do for authorized_keys) does not work either. In that case, SSH will still only recognize the first certificate and ignore the rest of the file.

Does anyone know how to tell SSH that I have a second certificate for this key?

Answer 1

Since you use the same private key and ssh will use the key name to guess the certificate name, copy your private and public key:

cp ~.ssh/id_rsa id_rsa_group2
cp ~.ssh/id_rsa.pub id_rsa_group2.pub # probably not necessary

Then make the name of the certificate match, it should be id_rsa_group2-cert.pub

Test it : ssh -i .ssh/id_rsa_group2 ip_of_your_server

Then make the key selection automatic by editing ~/.ssh/config

# For your first certificate:
Host a
    User root
    IdentityFile ~/.ssh/id_rsa

# For your new certificate
Host b
    User root
    IdentityFile ~/.ssh/id_rsa_group2

Answer 2

You can use the CertificateFile configuration option for that purpose, either on the command line : ssh -o CertificateFile=~/.ssh/second_certificate.pub host_b or by setting it into the config file (~/.ssh/config).

Host host_b
    CertificateFile ~/.ssh/second_certificate.pub

Since in both cases, the same certificate is used, it should work well with your ssh-agent.