ssh-agent could not add signed cert when private key stored in yubikey

Damien Miller djm at
Wed Jan 30 09:58:26 AEDT 2019

On Tue, 29 Jan 2019, YC wrote:

> Hi,
> I'm currently stuck with yubikey + signed user key + ssh-agent forwarding.
> As noted,
> I have private key stored in yubikey, public key in ~/.ssh/ and
> signed public key in ~/.ssh/ on PC (see bellow).

There is currently no way to add certificates to an agent for PKCS#11

That being said, you don't strictly need to. ssh is able to graft the
certificates to private keys held in agents or tokens at runtime - you
just need to specify the certificate(s) using the IdentityFile directive.

Note that this won't work using agent forwarding, but it will work using


More information about the openssh-unix-dev mailing list