Multiple Signatures on SSH-Hostkeys

Damien Miller djm at
Tue Oct 22 19:21:00 AEDT 2019

On Tue, 22 Oct 2019, Bergner, Jan, A-SCM-CIM-SD wrote:

> > I think the best you could do at present if you want host keys
> > signed by different CA is to choose different types of host key
> > (e.g. ecdsa vs ed25519), get one type signed by one CA and the other
> > by the other CA, and configure the clients to prefer the key type
> > corresponding to the CA that they expect. It's not a great solution,
> > but it would probably work.

> Okay.
> Would I specify that in sshd_config with multiple HostCertificate-
> statements or would I rather have multiple signed keys in one file?
> (One signature each line?)

Multiple HostCertificate statements - OpenSSH doesn't support multiple
host keys in a single file.


More information about the openssh-unix-dev mailing list