Insert certificate into agent for existing key?

Brian Candler b.candler at
Tue Feb 9 00:56:53 AEDT 2021

On 08/02/2021 12:58, Jakub Jelen wrote:
> this was discussed in the following two bugs in context of pkcs11 
> keys, but without any definite solution.

Thanks for those references.

I'm not sure I understand the last comment 

"BTW You can use certificates in ssh already using keys stored in an 
agent or token. Certificates are grafted to external keys at 
authentication time if they are available."

I *think* it's saying that you can authenticate using a private key in 
an agent together with a corresponding id_xxx.cert file on the 
filesystem.  But that means if you download your certificate from 
somewhere, you have to write it to the filesystem in a suitable 
location. Also, if you're doing multiple login hops using agent 
forwarding, you'd have to copy the certificate to each hop where the ssh 
client runs to ssh to the next hop.  Is that right?

Alternatively: you could reload your private key and cert together into 
the agent . That would presumably require re-unlocking the private key 
with passphrase, and wouldn't work for private keys stored in hardware 



More information about the openssh-unix-dev mailing list