How to revoke an ssh certificate (not ssh identity file!)

I've generated an ssh certificate like this:

  1. ssh-keygen -f ca_key # generate a ssh keypair for use as a certificate
  2. generate a host key ssh-keygen -s ca_key -I cert_identifier -h host_key.pub
  3. specify the host key in the server's sshd config file: TrustedUserCAKeys /etc/ssh/ssh_cert/host_key.pub
  4. generate a local certificate to access the host using an ssh certificate: ssh-keygen -s ca_key -I cert_identifier user_key.pub. This should generate user_key-cert.pub

I can now log into the server using ssh -i user_key user@host (which uses user_key-cert.pub). How can I revoke the certificate other than disabling the TrustedUserCAKeys file?


sshd_config has a RevokedKeys file. You can list multiple keys or certificates in it, one per line. In the future, OpenSSH will support revocation by certificate serial number, which will make for much smaller revocation lists.