Insert certificate into agent for existing key?

Jakub Jelen jjelen at
Mon Feb 8 23:58:56 AEDT 2021

On 2/7/21 1:09 PM, Brian Candler wrote:
> Does the ssh-agent protocol allow adding a certificate for a private key 
> which it already has? The idea is to issue a certificate for a key the 
> agent already has, to avoid the entropy drain of generating a new key.
> shows private 
> keys, and doesn't mention certificates at all.  However it does say:
> "Typically only the public components of any keys supported on a 
> hardware token will be loaded into an agent" - which suggests that the 
> SSH_AGENTC_ADD_IDENTITY message might be able to carry only the public 
> parts of a key.
> defines 
> new *public* key formats for certificates - they don't contain the 
> private key components as far as I can see.
> However, looking at the Go ssh-agent client, it inserts a private key 
> and certificate in a single SSH_AGENTC_ADD_IDENTITY or 
> (and I haven't been able to find documentation which defines that 
> private key + certificate message format).
> So basically: can I send just a certificate to ssh-agent?  And if so, 
> how is that done?

this was discussed in the following two bugs in context of pkcs11 keys, 
but without any definite solution.

To support this, we would need and update of ssh-agent protocol (or 
extension) and some variant of a patch in the first bug above.

Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.

More information about the openssh-unix-dev mailing list