Insert certificate into agent for existing key?

Brian Candler b.candler at
Sun Feb 7 23:09:41 AEDT 2021

Does the ssh-agent protocol allow adding a certificate for a private key 
which it already has? The idea is to issue a certificate for a key the 
agent already has, to avoid the entropy drain of generating a new key. shows private 
keys, and doesn't mention certificates at all.  However it does say:

"Typically only the public components of any keys supported on a 
hardware token will be loaded into an agent" - which suggests that the 
SSH_AGENTC_ADD_IDENTITY message might be able to carry only the public 
parts of a key. 
defines new *public* key formats for certificates - they don't contain 
the private key components as far as I can see.

However, looking at the Go ssh-agent client, it inserts a private key 
and certificate in a single SSH_AGENTC_ADD_IDENTITY or 

(and I haven't been able to find documentation which defines that 
private key + certificate message format).

So basically: can I send just a certificate to ssh-agent?  And if so, 
how is that done?



More information about the openssh-unix-dev mailing list