How can I use the same key for SSH and SSL (https)
Solution 1:
TL;DR summary: If you have a SSL/X.509 certificate+key, just give the private key file to ssh
. Or, if you already have a SSH key in id_rsa
, just use it with OpenSSL when signing a CSR. That's all.
Let's assume you have an user's SSL certificate in joeuser.pem
and its private key in joeuser.key
.
Since X.509 uses standard RSA keys, and so does SSH, you should be able to just tell your SSH client to use joeuser.key
-- the only requirement is that it be in an understandable format.
Look at the insides of joeuser.key
and check if it looks kinda like this:
-----BEGIN RSA PRIVATE KEY----- MGECAQACEQCxQaFwijLYlXTOlwqnSW9PAgMBAAECEETwgqpzhX0IVhUa0OK0tgkC CQDXPo7HDY3axQIJANLRsrFxClMDAghaZp7GwU2T1QIIMlVMo57Ihz8CCFSoKo3F 2L/2 -----END RSA PRIVATE KEY-----
In OpenSSL, this format is called "PEM" (as in -outform pem
) and is used by default. The same format is used by OpenSSH, and you can use ssh -i joeuser.key
to connect.
You can extract the public key in OpenSSH id_rsa.pub
format (for putting into authorized_keys
) with:
ssh-keygen -y -f joeuser.key > joeuser-ssh.pub
(The same public key in PEM format can be extracted with openssl rsa -pubout
, but it will be of little use.)
If you have a DSA key, it should work exactly the same like RSA.
Solution 2:
OpenSSH has experimental support for x509 certificates here:
http://roumenpetrov.info/openssh
You could issue a single x509 certificate per user and use them for both.
instead of putting the user pubkey in their authorized_keys, you can specify the allowed DNs of the user certificates; and you must configure the webserver/web application so that the DN is translated to a username.