Tool that enables users to easily get a signed SSH certificate. Can be used as a stand-alone tool, or added to ssh config to be executed automatically before ssh, scp and sftp.
csc_cert.py -u <username> [-s] [-v] [-r] [-S] [-a mode] [path_to_public_key.pub]
Options:
-u <username>- Your username (required)-s- Silent mode (minimal output)-v- Verbose mode (detailed output)-r- Refresh certificate even if old is valid-S- Show status of keys, certificates, tools, agents, and endpoint connectivity-a <mode>- Agent handling, to which agents is the key added (platform dependent)path_to_public_key.pub- Path to SSH public key (default:~/.ssh/id_ed25519.pubor~/.ssh/id_rsa.pub). On Windows,.ppkfiles are also supported
If the certificate is still valid, the tool exits. Use -r to force
signing a new certificate. If signing is needed, a login URL is
displayed. The user should follow the link and authenticate.
Once authenticated, the signed certificate is downloaded and added to
your SSH agent(s).
The private key does not need to be present on the machine running the tool — signing only requires the public key. When the private key is missing, the certificate is still signed and written to disk, but ssh-agent integration and (on Windows) PPK creation are skipped.
The -a option controls SSH agent handling:
| Mode | Description |
|---|---|
ssh (default) |
Add key to ssh-agent |
none |
Don't add to any agent |
- The signed certificate is saved to
<key>-cert.pub(e.g.,~/.ssh/id_ed25519-cert.pub) ssh-addloads both the private key and the adjacent certificate intossh-agent
ssh-agentmust be running for agent integration (only needed if the private key is present)ssh-keygenmust be available (for certificate inspection)
# Basic usage
csc_cert.py -u mmeikalainen
# With specific key
csc_cert.py -u mmeikalainen ~/.ssh/id_rsa.pub
# Force refresh
csc_cert.py -u mmeikalainen -r
# Skip agent (just download certificate)
csc_cert.py -u mmeikalainen -a none
# Show status
csc_cert.py -S
# Show status including a specific key
csc_cert.py -S ~/.ssh/id_rsa.pubWindows has additional features for PuTTY/Pageant integration.
In windows one can sign keys stored as OpenSSH keys or keys in Putty's PPK format. When starting from OpenSSH keys certificates for both OpenSSH and Putty (PPK) are generated. When starting from PPK, only certificates in PPK format are generated.
The -a option controls which agents receive the key:
| Mode | Description |
|---|---|
both (default) |
Add to both ssh-agent and Pageant |
ssh |
Add to ssh-agent only |
pageant |
Add to Pageant only |
none |
Don't add to any agent |
On Windows, the tool creates a PPK file with the certificate embedded and loads it into Pageant. This enables certificate authentication with PuTTY, WinSCP, and other PuTTY-based tools.
Requirements:
- WinSCP must be installed (provides
winscp.comfor PPK creation) - Pageant must be running to load keys into it
Note: PuTTY's own puttygen.exe does NOT support embedding
certificates. WinSCP's /keygen command is required.
Use -p / --no-ppk to skip PPK file creation when starting from an
OpenSSH public key. Useful if WinSCP is not installed or PPK output is
not needed. This option is not valid with .ppk input.
| File | Description |
|---|---|
<key>-cert.pub |
OpenSSH certificate (e.g., id_ed25519-cert.pub) |
<key>.ppk |
PuTTY private key with embedded certificate |
# Basic usage (adds to both ssh-agent and Pageant)
csc_cert.py -u mmeikalainen
# Pageant only (skip OpenSSH agent)
csc_cert.py -u mmeikalainen -a pageant
# OpenSSH agent only (skip Pageant/PPK)
csc_cert.py -u mmeikalainen -a ssh
# Skip PPK creation (e.g. when WinSCP is not installed)
csc_cert.py -u mmeikalainen --no-ppk
# With specific key
csc_cert.py -u mmeikalainen C:\Users\mmeikalainen\.ssh\id_ed25519.pub
# With key generated by puttygen - native ppk flow with no openssh keys
csc_cert.py -u mmeikalainen C:\Users\mmeikalainen\.ssh\id_ed25519.ppkIf your private key is encrypted, you will be prompted for the passphrase up to three times. Once when adding private key + certificate to OpenSSH agent, once when creating PPK file and once when adding to Pageant agent.
