How can I use the same key for SSH and SSL (https)

Solution 1:

TL;DR summary: If you have a SSL/X.509 certificate+key, just give the private key file to ssh. Or, if you already have a SSH key in id_rsa, just use it with OpenSSL when signing a CSR. That's all.


Let's assume you have an user's SSL certificate in joeuser.pem and its private key in joeuser.key.

Since X.509 uses standard RSA keys, and so does SSH, you should be able to just tell your SSH client to use joeuser.key -- the only requirement is that it be in an understandable format.

Look at the insides of joeuser.key and check if it looks kinda like this:

-----BEGIN RSA PRIVATE KEY-----
MGECAQACEQCxQaFwijLYlXTOlwqnSW9PAgMBAAECEETwgqpzhX0IVhUa0OK0tgkC
CQDXPo7HDY3axQIJANLRsrFxClMDAghaZp7GwU2T1QIIMlVMo57Ihz8CCFSoKo3F
2L/2
-----END RSA PRIVATE KEY-----

In OpenSSL, this format is called "PEM" (as in -outform pem) and is used by default. The same format is used by OpenSSH, and you can use ssh -i joeuser.key to connect.

You can extract the public key in OpenSSH id_rsa.pub format (for putting into authorized_keys) with:

ssh-keygen -y -f joeuser.key > joeuser-ssh.pub

(The same public key in PEM format can be extracted with openssl rsa -pubout, but it will be of little use.)


If you have a DSA key, it should work exactly the same like RSA.

Solution 2:

OpenSSH has experimental support for x509 certificates here:

http://roumenpetrov.info/openssh

You could issue a single x509 certificate per user and use them for both.

instead of putting the user pubkey in their authorized_keys, you can specify the allowed DNs of the user certificates; and you must configure the webserver/web application so that the DN is translated to a username.