SSH Certificates

First you need a master key (CA). Make sure you create it somewhere secure (i.e. a machine you can trust) and preferably as a privileged user (i.e. root). Obviously you only need to do this once.

mkdir my_ssh_ca
cd my_ssh_ca
ssh-keygen -t ed25519 -C "My SSH CA 2020-02-28" -f my_ssh_ca_key

ssh-keygen will prompt you for a passphrase, make sure you use something really strong! I recommend ed25519 keys for everything, just because it improves upon the other options and tries to resolve issues that the older standards have, though I cannot vouch for the security of any of them.

Generate the user's key in the standard way (i.e. have them run ssh-keygen -t ed25519), then bring the public (not the private!) keyfile to the master key/CA (never the other way around! you need to access the private master key to do the signing and this should never be exposed more than necessary).

ssh-keygen -s my_ssh_ca_key -I <identifier> -n <username> -V <validity> user_public_key.pub

• identifier should be something to help you recognise the key, I use something like user@host-YYYY-MM-DD with the date the key was signed.
• username should be just the username of the person you are signing the key for, this will restrict them to only be able to sign in as the username on the certificate, so they can't jump to another user account using this certificate. If you leave off the -n option then they could sign in as anybody, even root!
• validity allows you to have certificates expire over time, I use +53w to make the certificate valid from now until 1 year and 1 week from now (no it does not accept 'y' for years, just multiply by 52 and use weeks instead, e.g. 5 years is +260w)

ssh-keygen will prompt for the master key's password, if you input this correctly it will sign the given user's key and give you a file like user_public_key-cert.pub. Now take this back to the user's account and put it next to the user's public key and ssh will automagically pick it up.