Did not see a sample command here in the forum (maybe because it is documented in the most obscure location – called man-page 
)
I am exploring SSH certificates (introduced in OpenSSH 5.4 in 2010, btw).
OpenSSH server is already set up in ssh_config with TrustedUserCAKeys /etc/ssh/my-exported-public-key-for-use-as-SSH-CA.pub
Objectives
- use the HSM as “SSH certificate authority”
- sign non-HSM based SSH keys with short validity duration
Indeed ssh-keygen can somehow “point” to the HSM by supplying the public part of the key (an RSA key in my tests) and the -D option:
ssh-keygen -D /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -s ~/.ssh/id-my-exported-public-key-for-use-as-SSH-CA.pub -I "SSH HSM CA-signed user thru 2024-11-30" -V "-1d:20241130" ~/.ssh/id-my-exported-user-EC-public-key-to-be-signed.pub
All tutorials out there typically show -spointing to a private key file, e.g. generated with easy-rsa. But the manpage clearly says:
It is possible to sign using a CA key stored in a PKCS#11 token by providing the token library using
-Dand identifying the CA key by providing its public half as an argument to-s:
$ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
The command produces a file id-my-exported-user-EC-public-key-to-be-signed-cert.pub.
Despite the *pub file extension it is a certificate though, with a defined validity period. Documented in the manpage of ssh-keygen:
certificates may be defined with a validity lifetime. The
-Voption allows specification of certificate start and end times. A certificate that is presented at a time outside this range will not be considered valid. By default, certificates are valid from the UNIX Epoch to the distant future.
And with the possibility to re-import into a Nitrokey HSM2 by use of a DKEK I feel confident to finally explore the removal of SSH password (fallback) logins. I use SSH keys purely on a personal basis for hobby stuff:
- if my certificate expired I sign a new one (there can even be serial numbers and CRL)
- if I lost/destroyed/re-initialized the HSM I re-import from a rocksolid backup (already happed to me, the rather long form factor of the HSM and a laptop are ripe for such desasters)
- if I am not at my primary PC/location I can have a duplicate HSM travelling with me
ssh-keygen can also do, btw:
Certificates may be limited to be valid for a set of principal (user/host) names. By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals:
$ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub