Insert certificate into agent for existing key?

Brian Candler b.candler at
Wed Feb 10 19:00:29 AEDT 2021

On 09/02/2021 23:51, Damien Miller wrote:
>> So basically: can I send just a certificate to ssh-agent?  And if so,
>> how is that done?
> Yes, it is possible but poorly documented (patches welcome as always).
> The format for encoding a certificate with private key is is roughly
> {cert, private fields}. See sshkey.c:sshkey_private_serialize_opt() for
> the actual code, but it's basically the following, where "certificate
> blob" is the entire public certificate key.

That's how to send a (private key, certificate) pair - I have that 
working already, thanks to the go x/crypto/ssh/agent library.

However, the question was whether it's possible to send just a 
certificate by itself, which corresponds to a private key that the agent 
already has.  And at the moment, I think the answer is "no you can't".

More information about the openssh-unix-dev mailing list