An overview of the SSH CA
End users often access hosting entities' services using certificates issued by the SSH CA. These certificates are obtained from the SSH CA web portal at
This is one of two SSH CA instances offered available to hosting entities. These are
- the production instance, accessed using the URL above, and must be used for hosting entities’ production services, and
- the staging instance, which hosting entities can use for development and testing purposes.
End users obtain certificates from the production SSH CA by authenticating using a MyAccessID account. Any end user whose institution is connected to eduGAIN can get a MyAccessID account. For end users without an eduGAIN identity (such as those from industry) a Guest IDP is also available.
End user documentation on using the SSH CA is available at
- https://TODO
The Staging SSH CA is connected to MyAccessID "Acceptance". MyAccessID Acceptance is intended for non-production purposes, such as testing. Consequently, it is not connected to eduGAIN and users must usually use Guest IDP accounts. End users should never use the Staging SSH CA.
The table below summarises the relationship the SSH CA and MyAccessID instances.
| SSH CA | Intended use | MyAccessID | Identity Providers |
|---|---|---|---|
| Production | Production services | Production | eduGAIN IDPs and the Guest IDP |
| Staging | Development and testing | Acceptance | Guest IDP only |
Hosting entities should note the following.
- The Production and Acceptance Guest IDPs are different systems; an account with one cannot be used in the other environment.
- It is recommended that any testing is conducted using the Staging SSH CA, prior to production.
Other documentation describes the use of the production SSH CA by end users. The same documentation can be used by hosting entities to test and validate their own systems. The use of the Staging SSH CA is identical except
- it is accessed at https://sshca.stg.my-eurohpc.eu,
- users authenticate using an “acceptance” MyAccessID account, and
- resource entitlements may differ between the production and staging environments.
SSH Certificates
SSH certificates are a lightweight and efficient way to authenticate users and hosts using the SSH protocol.
Some of the certificate fields issued by the SSH CA have specific values. These are summarised in the table below.
| SSH certificate field | Description |
|---|---|
| Key type | ed25519 |
| Principals | Single-valued and gives the value of the end user’s MyAccessID CUID attribute. The value will be different between MyAccessID production and acceptance. |
| Valid before | Certificates are valid for one hour |
| Extensions | Includes the domain grant extension that names the domain of the hosting entity that is the intended relying party. |
The configuration process for hosting entities consists of
- trusting the SSH CA, and
- authorising SSH CA certificates and end users.
These are discussed in the following two sections.