Insert certificate into agent for existing key?

Damien Miller djm at
Wed Feb 10 21:55:39 AEDT 2021

On Wed, 10 Feb 2021, Brian Candler wrote:

> On 09/02/2021 23:51, Damien Miller wrote:
> > > So basically: can I send just a certificate to ssh-agent?  And if so,
> > > how is that done?
> > Yes, it is possible but poorly documented (patches welcome as always).
> > The format for encoding a certificate with private key is is roughly
> > {cert, private fields}. See sshkey.c:sshkey_private_serialize_opt() for
> > the actual code, but it's basically the following, where "certificate
> > blob" is the entire public certificate key.
> That's how to send a (private key, certificate) pair - I have that working
> already, thanks to the go x/crypto/ssh/agent library.
> However, the question was whether it's possible to send just a certificate by
> itself, which corresponds to a private key that the agent already has.  And at
> the moment, I think the answer is "no you can't".

No - there's a patch to support it at but I'm not sure it's
the correct approach.

More information about the openssh-unix-dev mailing list