Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

terminal-ssh

SSH certificate authority

Each organization gets its own internal SSH certificate authority. Hosts trust the CA once; VaultTerm mints short-lived user certificates on demand, so there are no static authorized_keys to manage.

Updated Jun 23, 2026

The brokered session keeps keys off the connecting device. The SSH certificate authority finishes the job on the host side: instead of distributing static authorized_keys, VaultTerm runs a per-organization SSH CA and issues short-lived certificates on demand. A host trusts the CA once, and from then on it accepts any unexpired, principal-matching certificate VaultTerm mints — and nothing else.

How it works

  • One CA per organization. Each org has its own certificate authority keypair. The CA is created and rotated by an org admin; any org member can read the CA public key, which is safe to publish.
  • The CA private seed is protected like a credential. It is envelope-encrypted: a random data key encrypts the seed, and that data key is wrapped by the master key. The seed is never stored in plain text and never leaves the process in the clear.
  • Short-lived user certificates, issued on demand. When you connect, VaultTerm signs a certificate for your login. Its lifetime is configurable, from roughly 30 minutes to 24 hours (one day is the hard ceiling). Each certificate stamps the principals (remote usernames) it is valid for and carries its own validity window, so it self-expires — there is nothing to revoke by hand.
  • No static keys to manage. Because hosts trust the CA rather than a list of individual keys, you never edit authorized_keys to add, remove, or rotate a person’s access.

Trust the CA on a host

Read the org CA public key, then tell each target host to trust it via TrustedUserCAKeys. This is a one-time setup per host.

# 1. On each target host, write the CA public line to a file:
sudo tee /etc/ssh/vaultterm_ca.pub > /dev/null <<'EOF'
ssh-ed25519 AAAA... vaultterm-ca
EOF

# 2. In /etc/ssh/sshd_config, point sshd at that file:
TrustedUserCAKeys /etc/ssh/vaultterm_ca.pub

# 3. Reload sshd so the change takes effect:
sudo systemctl reload sshd

The host now accepts any unexpired VaultTerm-issued certificate whose principal matches the login user. No per-user key has to be present on the host.

Rotation

An admin can rotate the CA at any time. Rotation retires the active CA (its row and fingerprint are kept for history) and mints a fresh keypair. Add the new CA public line to each host’s TrustedUserCAKeys file. Certificates already issued by the old CA keep working until they expire, because the old public key stays trusted on the host until the operator removes it — so rotation doesn’t interrupt live work.

Issuance is self-expiring and audited

Every certificate carries its own validity window and expires on its own; there is no separate revocation list to maintain for routine access. VaultTerm keeps an append-only issuance ledger of every certificate it mints — serial, key id, principals, validity window, and fingerprint — for inventory and audit. Creating the CA, rotating it, and issuing each certificate are all written to the audit trail.

Where to go next

All docs · Ask a question