Internet Engineering Task Force D. Miller Internet-Draft OpenSSH Intended status: Standards Track 14 June 2026 Expires: 16 December 2026 SSH Certificate Format draft-ietf-sshm-cert-01 Abstract This document presents a lightweight certificate format that may be used in the context of the Secure Shell (SSH) protocol for user and host authentication. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 16 December 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Miller Expires 16 December 2026 [Page 1] Internet-Draft SSH Certificate Format June 2026 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Certificate Format . . . . . . . . . . . . . . . . . . . . . 3 2.1. Public certificate format . . . . . . . . . . . . . . . . 3 2.1.1. General structure and common fields . . . . . . . . . 3 2.1.2. DSA certificates . . . . . . . . . . . . . . . . . . 5 2.1.3. ECDSA certificates . . . . . . . . . . . . . . . . . 6 2.1.4. EDDSA certificates . . . . . . . . . . . . . . . . . 6 2.1.5. RSA certificates . . . . . . . . . . . . . . . . . . 7 2.1.6. Other certificate formats . . . . . . . . . . . . . . 8 2.2. Option / extension encoding . . . . . . . . . . . . . . . 8 2.3. Certificate extensions . . . . . . . . . . . . . . . . . 9 2.4. Critical options . . . . . . . . . . . . . . . . . . . . 11 2.5. Private certificate format . . . . . . . . . . . . . . . 12 2.5.1. DSA certificates . . . . . . . . . . . . . . . . . . 12 2.5.2. ECDSA certificates . . . . . . . . . . . . . . . . . 12 2.5.3. EDDSA certificates . . . . . . . . . . . . . . . . . 12 2.5.4. RSA certificates . . . . . . . . . . . . . . . . . . 13 3. Using certificates . . . . . . . . . . . . . . . . . . . . . 13 3.1. Accepting certificates . . . . . . . . . . . . . . . . . 13 3.2. Certificate signatures . . . . . . . . . . . . . . . . . 14 3.3. Use in host authentication . . . . . . . . . . . . . . . 14 3.4. Use in user authentication . . . . . . . . . . . . . . . 15 4. Protocol numbers . . . . . . . . . . . . . . . . . . . . . . 15 4.1. Certificate types . . . . . . . . . . . . . . . . . . . . 15 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 5.1. Additions to SSH key type registry . . . . . . . . . . . 16 5.2. New registry: Certificate Extension Identifiers . . . . . 16 5.3. New registry: Certificate Criticial Option Identifiers . 17 5.4. New registry: Certificate Type Numbers . . . . . . . . . 17 6. Security Considerations . . . . . . . . . . . . . . . . . . . 18 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 19 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 8.1. Normative References . . . . . . . . . . . . . . . . . . 21 8.2. Informative References . . . . . . . . . . . . . . . . . 22 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 23 Annotated example . . . . . . . . . . . . . . . . . . . . . . . . 23 Example certificates . . . . . . . . . . . . . . . . . . . . . . 26 Example ssh-ed25519-cert . . . . . . . . . . . . . . . . . . . 26 Example ssh-rsa-cert . . . . . . . . . . . . . . . . . . . . . 28 Example ecdsa-sha2-nistp256-cert . . . . . . . . . . . . . . . 34 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 36 Miller Expires 16 December 2026 [Page 2] Internet-Draft SSH Certificate Format June 2026 1. Introduction Secure Shell (SSH) is a protocol for secure remote connections and login over untrusted networks. SSH uses public key signatures for host authentication and commonly uses them for user authentication. This document describes a lightweight certificate format for use in these contexts. It may be used for server authentication as part of key exchange (Section 7 of [RFC4253]) and for user public key authentication (Section 7 of [RFC4252]). 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Certificate Format All values in a certificate are encoded using the SSH wire representations specified by Section 5 of [RFC4251]. Additionally, the type "byte[]" indicates a sequence of bytes where the length is determined by context. All lengths are in bytes unless otherwise specified. 2.1. Public certificate format 2.1.1. General structure and common fields Certificates have the following general structure: string key type string nonce byte[] public key fields uint64 serial number uint32 certificate role string identifier string principals uint64 valid after uint64 valid before string critical options string extensions string reserved string signature key string signature Miller Expires 16 December 2026 [Page 3] Internet-Draft SSH Certificate Format June 2026 The "key type" string identifies the certificate type, e.g. "ssh- ed25519-cert" identifies an ED25519 certificate. The valid certificate types are listed below. The "nonce" field contains a random nonce. This value MUST be at least 16 bytes in length. 32 bytes is typical. The "public key fields" section contains the actual public key material. These are specified below for each certificate type. The "certificate role" field indicates the role of the certificate, either SSH2_CERT_TYPE_USER for user authentication certificates or SSH2_CERT_TYPE_HOST authentication certificates. The "identifier" field contains a UTF-8 encoded, human-readable identifier for the certificate, suitable for display to the user, recording in logs, etc. The "principals" field contains one or more UTF-8 encoded names, themselves encoded as strings, for example: string principal[0] string principal[1] ... string principal[N] These names identify the principals the certificate is intended to authenticate. In the case of user certificates, these will typically be user names, whereas for host certificates they will be host names and/or numerical addresses. The "valid after" and "valid before" field represent a validity interval for the certificate with each field being interpreted as a number of seconds since the Unix epoch (00:00:00 UTC on 1 January 1970) except for two special values. A zero value in the "valid after" field indicates that the certificate is valid from any time to the "valid before" date. A all-1s (i.e. 0xFFFFFFFFFFFFFFFF) value in the "valid before" field indicates that the certificate has no end expiry date. The "critical options" field contains zero or more of the certificate options described in Section 2.4 and encoded as described in Section 2.2. If an implementation does not recognise or support a particular option contained in a certificate, then it MUST refuse to accept the certificate for authentication. Miller Expires 16 December 2026 [Page 4] Internet-Draft SSH Certificate Format June 2026 The "extensions" field similarly contains zero or more of the certificate extensions described in Section 2.3 and encoded as described in Section 2.2. An implementation that does not recognise or support an extension present in a certificate extension section MUST ignore the extension. The "reserved" field is reserved for future use. Implementations MUST ignore the contents of this field if it is not empty. The "signature key" field contains the certification authority (CA) key used to sign the certificate, encoded as a SSH public key blob. Implementations MUST NOT accept certificate keys as CA keys. The "signature" field contains a signature, made using the CA signature key over the entire certificate excluding the "signature" field itself (i.e. everything from the "key type" up to and including the "signature key"). The signature is encoded using the standard SSH signature encoding for the CA key type in question, e.g. Section 3.1.2 of [RFC5656] for ECDSA CA keys. 2.1.2. DSA certificates DSA certificates have key type "ssh-dss-cert" and certify DSA keys as defined in Section 6.6 of [RFC4253]. This format is equivalent to the vendor extension "ssh-dss-cert-v01@openssh.com". string "ssh-dss-cert" string nonce mpint p mpint q mpint g mpint y uint64 serial number uint32 certificate role string identifier string principals uint64 valid after uint64 valid before string critical options string extensions string reserved string signature key string signature The "p", "q", "g" values are the DSA domain parameters. "y" is the public key value. These values are as defined by Section 4.1 of [FIPS.186-4]. Miller Expires 16 December 2026 [Page 5] Internet-Draft SSH Certificate Format June 2026 2.1.3. ECDSA certificates ECDSA certificates are represented by the key types "ecdsa- sha2-nistp256-cert", "ecdsa-sha2-nistp384-cert" and "ecdsa- sha2-nistp521-cert". They respectively certify "ecdsa- sha2-nistp256", "ecdsa-sha2-nistp384" and "ecdsa-sha2-nistp521" respectively, as defined by Section 3.1 of [RFC5656]. This format is equivalent to the vendor extensions "ecdsa-sha2-nistp256-cert- v01@openssh.com", "ecdsa-sha2-nistp384-cert-v01@openssh.com" and "ecdsa-sha2-nistp521-cert-v01@openssh.com". string "ecdsa-sha2-nistp256-cert" | "ecdsa-sha2-nistp384-cert" | "ecdsa-sha2-nistp521-cert" string nonce string ecdsa_curve_name string Q uint64 serial number uint32 certificate role string identifier string principals uint64 valid after uint64 valid before string critical options string extensions string reserved string signature key string signature The value "Q" is the ECDSA public value as defined by Section 6.2 of [FIPS.186-5]. 2.1.4. EDDSA certificates EDDSA certificates have key type "ssh-ed25519-cert" or "ssh- ed448-cert" and certify Ed25519 and Ed448 keys (respectively) as defined by [RFC8709]. This format is equivalent to the vendor extension "ssh-ed25519-cert-v01@openssh.com". Miller Expires 16 December 2026 [Page 6] Internet-Draft SSH Certificate Format June 2026 string "ssh-ed25519-cert" | "ssh-ed448-cert" string nonce string ENC(A) uint64 serial number uint32 certificate role string identifier string principals uint64 valid after uint64 valid before string critical options string extensions string reserved string signature key string signature The value ENC(A) is the EDDSA public key, the contents and interpretation of which are defined by Section 3.2 of [RFC8032]. 2.1.5. RSA certificates RSA certificates have type "ssh-rsa-cert". These certify RSA, as defined in Section 6.6 of [RFC4253]. This format is equivalent to the vendor extension "ssh-rsa-cert-v01@openssh.com". string "ssh-rsa-cert" string nonce mpint e mpint n uint64 serial number uint32 certificate role string identifier string principals uint64 valid after uint64 valid before string critical options string extensions string reserved string signature key string signature "n" is the public composite modulus and "e" is the public exponent. These values are defined by Section 5.1 of [FIPS.186-4]. Miller Expires 16 December 2026 [Page 7] Internet-Draft SSH Certificate Format June 2026 2.1.5.1. RSA SHA2 signature algorithms [RFC8332] specifies RSA variants that use SHA256 and SHA512. Advertising support for these algorithms with certificates (e.g. in the SSH_MSG_KEXINIT server_host_key_algorithms field) is possible using the algorithm names "rsa-sha2-256-cert" and "rsa- sha2-512-cert". These names should only be used when advertising or requesting signature algorithms and should never appear as the key type in serialised public keys. The equivalent pre-standardisation vendor extension names are "rsa- sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert- v01@openssh.com". 2.1.6. Other certificate formats SSH clients and server clients MAY support additional key types not documented here. Vendor-specific key types should use the domain- qualified naming convention defined in Section 4.2 of [RFC4251]. 2.2. Option / extension encoding The "critical options" and "extensions" certificate sections use the same format for encoding, though they differ in how unsupported options are handled. Both sections consist of zero or more key/value pairs, encoded as a pair of strings: string key string value "key" should be a UTF-8 encoded string that identifies the option being encoded. Available keys for extensions and for critical options sections are listed below, but implementations may add their own options using the domain-qualified naming convention defined in Section 4.2 of [RFC4251]. The contents and format of "value" are specific to each option or extension. Key/value pairs MUST be ordered lexically by key name. A common pattern for flag-type options is for the value to be the empty string. For example, this is a complete extensions section that encodes a single flag value "permit-user-rc". Miller Expires 16 December 2026 [Page 8] Internet-Draft SSH Certificate Format June 2026 00000016 # Extensions section len=22 0000000e # 1st key string len=14 7065726d69742d757365722d7263 # "permit-user-rc" 00000000 # 1st value string len=0 For options whose values encode textual values, it is common for the value to contain a nested string. For example, the following is a complete critical options section that sets a string-values option "force-command" to the value "sftp". 0000001d # Criticial options len=29 0000000d # 1st key string len=13 666f7263652d636f6d6d616e64 # "force-command" 00000008 # 1st value string len=8 00000004 # value body string len=4 73667470 # "sftp" Finally, the following is an example of a critical options section that contains a flag option "foo@example.com" and a string-valued option "force-command" with a the value "sftp". 00000038 # Criticial options len=56 0000000f # 1st key string len=15 666f6f406578616d706c652e636f6d # "foo@example.com" 00000000 # 1st value string len=0 0000000d # 2nd key string len=13 666f7263652d636f6d6d616e64 # "force-command" 00000008 # 2nd value string len=8 00000004 # value body string len=4 73667470 # "sftp" 2.3. Certificate extensions Certificate extensions are encoded using the rules in Section 2.2. When an implementation encounters an extension it does not recognise or support, it MUST ignore it and continue processing the certificate without error. There are no defined certificate extensions for host certificates. The initially defined certificate extensions for user certificates are: no-touch-required Valid for key types that support user-presence Miller Expires 16 December 2026 [Page 9] Internet-Draft SSH Certificate Format June 2026 assertions in their signatures (such as FIDO-backed keys). This option indicates that signatures made with this certificate that do not assert user-presence should be accepted, reversing the default behaviour of refusing such signatures. Note that no such key types are currently standardised, but some SSH implementation support them as vendor extensions. This is a flag-type option. Its value is the empty string. permit-agent-forwarding Indicates that sessions authenticated with this certificate may request authentication agent forwarding [I-D.ietf-sshm-ssh-agent]. Certificates that lack this extension MUST not permit this protocol feature be enabled on SSH server implementations that support it. This is a flag-type option. Its value is the empty string. permit-port-forwarding Indicates that sessions authenticated with this certificate may request authentication TCP forwarding using the "tcpip-forward" and/or "direct-tcpip" SSH channel requests defined in Section 7 of [RFC4254]. Certificates that lack this extension MUST not permit these protocol features be enabled on SSH server implementations that support them. This is a flag-type option. Its value is the empty string. permit-pty Indicates that sessions authenticated with this certificate may request pseudo-terminal allocation using the "pty- req" SSH channel request defined in Section 6.2 of [RFC4254]. Certificates that lack this extension MUST not permit this protocol feature be enabled on SSH server implementations that support it. This is a flag-type option. Its value is the empty string. permit-user-rc Indicates that sessions authenticated with this certificate may execute optional SSH-specific user initialisation scripts (e.g. "~/.ssh/rc"). Certificates that lack this extension MUST not process these scripts on SSH server implementations that support them. This is a flag-type option. Its value is the empty string. permit-X11-forwarding Indicates that sessions authenticated with Miller Expires 16 December 2026 [Page 10] Internet-Draft SSH Certificate Format June 2026 this certificate may request X11 protocol forwarding using the "x11-req" SSH channel request defined in Section 6.3 of [RFC4254]. Certificates that lack this extension MUST not permit this protocol feature be enabled on SSH server implementations that support it. This is a flag-type option. Its value is the empty string. SSH implementations may define additional vendor extensions using the domain-qualified naming convention defined in Section 4.2 of [RFC4251]. 2.4. Critical options Certificate critical options are encoded using the rules in Section 2.2. When an implementation encounters an option it does not recognise or support, it MUST refuse to accept the certificate for authorisation decisions. There are no defined critical options for host certificates. The initially defined critical options for user certificates are: force-command Forces the execution of the specified command for any session (Section 6.5 of [RFC4254]) of type "exec" or "shell" and overrides the subsystem name for sessions of type "subsystem". This is a string-type option. Its value contains a nested string which holds the command string. source-address Provides an allow-list of source addresses from which the certificate is valid. The address list consists of zero or more CIDR ranges (e.g. "192.0.2.0/29") or wildcard addresses (e.g. "192.0.2.*") separated by commas. If this option is present, servers MUST refuse connections from sources that are not listed. This is a string-type option. Its value contains a nested string which holds the allow-list. verify-required Valid for key types that support user verification assertions in their signatures (such as FIDO-backed keys). This option indicates that signatures made with this certificate that must require this assertion to be present in the signature and that servers MUST refuse authentication if it is absent. Note that no such key types are currently standardised, but some SSH implementation support them as vendor extensions. This is a flag-type option. Its value is the empty string. Miller Expires 16 December 2026 [Page 11] Internet-Draft SSH Certificate Format June 2026 SSH implementations may define additional vendor extensions using the domain-qualified naming convention defined in Section 4.2 of [RFC4251]. 2.5. Private certificate format For cases where a certificate and its associated private key must be serialised, such as adding one to a SSH authentication agent [I-D.ietf-sshm-ssh-agent], the following format is used; string key type string certificate blob byte[] private key fields Where "key type" is the type of the certificate being encoded (e.g. "ssh-rsa-cert"), "certificate blob" is the entire encoded certificate as described in Section 2.1 and "private key fields" contain the encoded private key values as described in the following sections. 2.5.1. DSA certificates DSA certificates with private keys use the following encoding format. string "ssh-dss-cert" string certificate blob mpint x The "x" parameter is defined as per Section 4.1 of [FIPS.186-4]. 2.5.2. ECDSA certificates ECDSA certificates with private keys use the following encoding format. string "ecdsa-sha2-nistp256-cert" | "ecdsa-sha2-nistp384-cert" | "ecdsa-sha2-nistp521-cert" string certificate blob mpint d The "d" value is defined by Section 6.2 of [FIPS.186-5]. 2.5.3. EDDSA certificates EDDSA certificates with private keys use the following encoding format. Miller Expires 16 December 2026 [Page 12] Internet-Draft SSH Certificate Format June 2026 string "ssh-ed25519-cert" | "ssh-ed448-cert" string certificate blob string k || ENC(A) The encoded value is a concatenation of the private key k and the public ENC(A) key. The contents and interpretation of the ENC(A) and k values are defined by Section 3.2 of [RFC8032]. 2.5.4. RSA certificates RSA certificates with private keys use the following encoding format. string "ssh-rsa-cert" string certificate blob mpint d mpint iqmp mpint p mpint q "p" and "q" are its constituent private prime factors. "iqmp" is the inverse of "q" modulo "p". All these values except "iqmp" (which can be calculated from the others) are defined by Section 5.1 of [FIPS.186-4]. 3. Using certificates Certificates may be appear and be used any place in the SSH protocol where plain keys are used. In particular, they may be used for server authentication or for user public-key authentication. For each of these cases, the certificate, encoded as per Section 2.1 appears in place of the encoded key. 3.1. Accepting certificates Implementations that accept a certificate MUST verify the CA signature over the certificate contents prior to making any authentication or authorisation decisions. Implementations MAY elect to verify the certificate signature as soon as the certificate is received. When making authentication or authorisation decisions with a certificate, implementations: * MUST check that the certificate is well-formed * MUST ensure that no unsupported critical options are present Miller Expires 16 December 2026 [Page 13] Internet-Draft SSH Certificate Format June 2026 * MUST check that the "certificate role" matches the intended decision type (user or host authentication) * MUST check the time against the certificate validity interval * MUST verify that at least one of the listed certificate principals is accepted * MUST perform any additional authorisation operations required by critical options. 3.2. Certificate signatures When signatures are required, they are made and formatted using the same rules for the underlying plain key type. For example, a "ssh- rsa-cert" could produce signatures of types "ssh-rsa" using the rules from Section 6.6 of [RFC4253], or "rsa-sha2-256" or "rsa-sha2-512" using the rules from Section 3 of [RFC8332]. 3.3. Use in host authentication Certificate host keys may be used for server authentication as part of the initial key exchange or for subsequent re-exchange. To use a certificate host key, its key type name (e.g. "ssh-ed25519-cert") must appear in the server_host_key_algorithms of the SSH_MSG_KEXINIT (Section 7.1 of [RFC5656]). If negotiated by both the server and the client, then a certificate of the agreed type may take the place of the plain host key in the final reply message. For example in ECDH host authentication (Section 4 of [RFC5656]), host authentication occurs in the final SSH_MSG_KEX_ECDH_REPLY message: byte SSH_MSG_KEX_ECDH_REPLY string K_S, server's certificate string Q_S, server's ephemeral ECDH public key string the signature on the exchange hash Certificates used for host authentication MUST have "certificate role" of SSH2_CERT_TYPE_HOST. Other certificate types MUST NOT be accepted. Certificate host keys list hostnames and/or IP addresses for the host in their "principals" section. Clients MUST match the hostname or address thay are using for the host against the principals in this list and refuse to authorise the certificate if it is absent. Clients that accept certified host keys MAY downgrade the certificate to a plain public key and process it accordingly, if they are unable to verify the certificate. This allows recovery from the situation Miller Expires 16 December 2026 [Page 14] Internet-Draft SSH Certificate Format June 2026 where the endpoints negotiate use of a cerificate host key but the client is not able to authorise the certificate contents, perhaps because the CA is not trusted or because the host name the client is using does not match any in the certificate. 3.4. Use in user authentication For user public key authentication No prior negotiation is needed to send a user authentication attempt that contains a certificate, though clients may wish to filter the ones they send against the server's list of accepted publickey authentication signature algorithms if one was provided via the [RFC8308] SSH_MSG_EXT_INFO mechanism. Certificates used for user authentication MUST have "certificate role" of SSH2_CERT_TYPE_USER. Other certificate types MUST not be accepted. Certificate keys for user authentication list one or more user principal names in their "principals" section. Interpretation and authorisation of principal names for a given target user name is fully determined by the server. In the trivial case, a certificate may list user names directly and the server merely matches the user name in the SSH_MSG_USERAUTH_REQUEST (Section 7 of [RFC4252]) to one of the principals in the certificate. To make a user authentication attempt using a certificate user key, the certificate takes the place of the plain public key in a SSH_MSG_USERAUTH_REQUEST message. For example: byte SSH_MSG_USERAUTH_REQUEST string user name string service name string "publickey" boolean TRUE string certificate key algorithm name string encoded certificate string signature 4. Protocol numbers 4.1. Certificate types The following numbers are used for certificate types: SSH2_CERT_TYPE_USER 1 SSH2_CERT_TYPE_HOST 2 Miller Expires 16 December 2026 [Page 15] Internet-Draft SSH Certificate Format June 2026 5. IANA Considerations This format requires creation of one new registry and additions to an existing registry. 5.1. Additions to SSH key type registry IANA is requested to insert the following entries into the table Public Key Algorithm Names [IANA-SSH-KEYTYPES] under Secure Shell (SSH) Protocol Parameters registry group [RFC4250]. +==========================+=================+ | Key type name | Reference | +==========================+=================+ | ssh-dss-cert | Section 2.1.2 | +--------------------------+-----------------+ | ecdsa-sha2-nistp256-cert | Section 2.1.3 | +--------------------------+-----------------+ | ecdsa-sha2-nistp384-cert | Section 2.1.3 | +--------------------------+-----------------+ | ecdsa-sha2-nistp521-cert | Section 2.1.3 | +--------------------------+-----------------+ | ssh-ed25519-cert | Section 2.1.4 | +--------------------------+-----------------+ | ssh-ed448-cert | Section 2.1.4 | +--------------------------+-----------------+ | ssh-rsa-cert | Section 2.1.5 | +--------------------------+-----------------+ | rsa-sha2-256-cert | Section 2.1.5.1 | +--------------------------+-----------------+ | rsa-sha2-512-cert | Section 2.1.5.1 | +--------------------------+-----------------+ Table 1 5.2. New registry: Certificate Extension Identifiers This registry, titled "Certificate Extension Identifiers" records identifiers for certificate extensions. It should be created in the Secure Shell (SSH) Protocol Parameters registry group [RFC4250]. Its initial state should consist of the following names. Future name allocations shall occur via EXPERT REVIEW as per [RFC8126]. Miller Expires 16 December 2026 [Page 16] Internet-Draft SSH Certificate Format June 2026 +=========================+=============+ | Extension name | Reference | +=========================+=============+ | no-touch-required | Section 2.3 | +-------------------------+-------------+ | permit-agent-forwarding | Section 2.3 | +-------------------------+-------------+ | permit-port-forwarding | Section 2.3 | +-------------------------+-------------+ | permit-pty | Section 2.3 | +-------------------------+-------------+ | permit-user-rc | Section 2.3 | +-------------------------+-------------+ | permit-X11-forwarding | Section 2.3 | +-------------------------+-------------+ Table 2 5.3. New registry: Certificate Criticial Option Identifiers This registry, titled "Certificate Critical Option Identifiers" records identifiers for certificate critical options. It should be created in the Secure Shell (SSH) Protocol Parameters registry group [RFC4250]. Its initial state should consist of the following names. Future names allocations shall occur via EXPERT REVIEW as per [RFC8126]. +=================+=============+ | Option name | Reference | +=================+=============+ | force-command | Section 2.4 | +-----------------+-------------+ | source-address | Section 2.4 | +-----------------+-------------+ | verify-required | Section 2.4 | +-----------------+-------------+ Table 3 5.4. New registry: Certificate Type Numbers This registry, titled "Certificate Type Numbers" records the numbers used to indicate the types of certificates. It should be created in the Secure Shell (SSH) Protocol Parameters registry group [RFC4250]. Its initial state should consist of the following numbers. Future message number allocations shall occur via EXPERT REVIEW as per [RFC8126]. Miller Expires 16 December 2026 [Page 17] Internet-Draft SSH Certificate Format June 2026 +========+=====================+=============+ | Number | Identifier | Reference | +========+=====================+=============+ | 1 | SSH2_CERT_TYPE_USER | Section 4.1 | +--------+---------------------+-------------+ | 2 | SSH2_CERT_TYPE_HOST | Section 4.1 | +--------+---------------------+-------------+ Table 4 6. Security Considerations The security of any public key certificate system depends ultimately on the certification authority (CA). If the certification authority can be pursuaded by an attacker to sign certificates that are not intended, or if the private key material for the CA is leaked to an attacker, then the attacker gains the ability to create improper certificates that will be accepted by all endpoints that trust the CA. Specifying the exact process by which certificates are issued and the operational requirements of running a CA is beyond the scope of this document, but certification authorities MUST ensure that signing requests are authentic and that they are authorised by the CA's policy. Similarly, CAs MUST protect their private key material against theft, accidental disclosure or leakage. Such protection may be afforded by isolating the CA private key in a separate signing service, storing it in a hardware token or security module and/or by keeping it offline except when it is explicitly needed. Certification authorities MUST select their signing key algorithm and strength to be sufficiently secure for the expected operational life of the signing key. For completeness, this document specifies certificate formats that are peers for all currently-specified SSH key and signature types, but not all SSH key and signature types are currently recommended for use. Specifically, the DSA key type (and associated certificate format) SHOULD NOT be used as the algorithm, as instantiated in SSH, is unacceptable weak as it uses a fixed 1024 bit key length, which is insufficient, and requires the use of SHA1, which is known to be broken, as a signature hash. Similarly the original "ssh-rsa" signature type also uses SHA1 as a signature hash and so SHOULD NOT be used. SSH clients, servers and other tools processing SSH certificates SHOULD implement allowlists of accepted key and signature types and SHOULD by default disallow the ssh-dss-cert certificate type and certificate signatures made using the ssh-rsa signature algorithm. Miller Expires 16 December 2026 [Page 18] Internet-Draft SSH Certificate Format June 2026 This specification does not define a revocation mechanism for certificates that should no longer be accepted, for example if their private key material is known to have been compromised or if it is no longer desirable to accept the principal they identify for policy or operational reasons. Implementations that accept SSH certificates SHOULD have some mechanism to disallow individual certificates that are no longer acceptable despite their being otherwise valid. In its simplest form, this mechanism could be a simple list of certificate serial numbers to disallow, or an explicit list of certificates, encoded as serialised public keys using [RFC4716] or another public key encoding. This document does not specify how SSH clients or servers come to trust CA keys. It is RECOMMENDED that implementations define a clear mechanism to define trust of a CA public key and its desired scope. For example, a SSH client SHOULD allow trusting a CA key for only a defined set of domain names such as subdomains of an organisation's TLD. Any limits that a client or server places on the scope of a trusted CA key MUST compose sensibly and safely with restrictions specified within certificates issued from that CA. For example, if a SSH server supports trusting a CA key but selectively disallows SSH TCP/IP port forwarding (Section 7 of [RFC4254]), then the "permit- port-forwarding" critical option would not be expected to re-enable it. 7. Implementation Status This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to [RFC7942], "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". Miller Expires 16 December 2026 [Page 19] Internet-Draft SSH Certificate Format June 2026 The following example projects maintain implementations of SSH certificates. All have implemented them in the vendor extension namespace, e.g. "ssh-rsa-cert-v01@openssh.com". OpenSSH OpenSSH is the originating implementation of this protocol and has supported it since 2010. Website: https://www.openssh.com/ libssh libssh has supported this format since 2011. Website: https://www.libssh.org/ Golang x/crypto/ssh The Go programming language project has supported an implementation of this format in its external "x" repository since 2012. Website: https://pkg.go.dev/golang.org/x/crypto/ssh Net::SSH The Net::SSH library has supported this format since 2014. Website: https://net-ssh.github.io/net-ssh/ AsyncSSH The AsyncSSH library has supported this format since 2015. Website: https://github.com/ronf/asyncssh Paramiko The Paramiko library has supported this format since 2017 Website: https://www.paramiko.org/ Apache MINA SSHD The Apache MINA SSHD server library has supported this format since 2020. Website: https://mina.apache.org/sshd-project/ PuTTY The PuTTY SSH client has supported this format since 2022. Website: https://www.chiark.greenend.org.uk/~sgtatham/putty/ russh The russh library has supported this format since 2024. Website: https://github.com/Eugeny/russh Additionally, Google's HIBA system [HIBA] builds on top of the OpenSSH certificate format to perform centralised authorisation for pool of target hosts. Miller Expires 16 December 2026 [Page 20] Internet-Draft SSH Certificate Format June 2026 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) Protocol Assigned Numbers", RFC 4250, DOI 10.17487/RFC4250, January 2006, . [RFC4251] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Protocol Architecture", RFC 4251, DOI 10.17487/RFC4251, January 2006, . [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, January 2006, . [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, January 2006, . [RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Connection Protocol", RFC 4254, DOI 10.17487/RFC4254, January 2006, . [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer", RFC 5656, DOI 10.17487/RFC5656, December 2009, . [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, . [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Miller Expires 16 December 2026 [Page 21] Internet-Draft SSH Certificate Format June 2026 [RFC8332] Bider, D., "Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol", RFC 8332, DOI 10.17487/RFC8332, March 2018, . [RFC8308] Bider, D., "Extension Negotiation in the Secure Shell (SSH) Protocol", RFC 8308, DOI 10.17487/RFC8308, March 2018, . [RFC8709] Harris, B. and L. Velvindron, "Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol", RFC 8709, DOI 10.17487/RFC8709, February 2020, . [I-D.ietf-sshm-ssh-agent] Miller, D., "SSH Agent Protocol", Work in Progress, Internet-Draft, draft-ietf-sshm-ssh-agent-02, 16 March 2025, . [FIPS.186-4] National Institute of Standards and Technology, "Digital Signature Standard (DSS)", FIPS PUB 186-4, DOI 10.6028/NIST.FIPS.186-4, July 2013, . [FIPS.186-5] National Institute of Standards and Technology, "Digital Signature Standard (DSS)", FIPS PUB 186-5, DOI 10.6028/NIST.FIPS.186-5, February 2023, . 8.2. Informative References [RFC4716] Galbraith, J. and R. Thayer, "The Secure Shell (SSH) Public Key File Format", RFC 4716, DOI 10.17487/RFC4716, November 2006, . [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, . [IANA-SSH-KEYTYPES] IANA, "Public Key Algorithm Names", . Miller Expires 16 December 2026 [Page 22] Internet-Draft SSH Certificate Format June 2026 [HIBA] Google, "HIBA: Host Identity Based Authorization", . Acknowledgements Jeremy Norris and Yiyue Wang offered valuable feedback on this document. Annotated example This is an example of a hex-encoded certificate for an ecdsa- sha2-nistp256-cert public key, signed by a ssh-ed25519 certificate authority. Miller Expires 16 December 2026 [Page 23] Internet-Draft SSH Certificate Format June 2026 0000: 0000 0018 6563 6473 612d 7368 6132 2d6e ....ecdsa-sha2-n 0010: 6973 7470 3235 362d 6365 7274 0000 0020 istp256-cert... 0020: 7ee0 cb87 8240 788b 087e 0a23 f505 1828 ~....@x..~.#...( 0030: 98e1 510f b3a2 fcf6 4086 30f6 25b1 aa19 ..Q.....@.0.%... 0040: 0000 0008 6e69 7374 7032 3536 0000 0041 ....nistp256...A 0050: 04a5 7c7c 0829 b7ee 3473 1383 52b8 afc1 ..||.)..4s..R... 0060: 673c 7145 29de 5f0f a699 4f08 6f58 8f96 g..=d.... 0050: f8e7 74d1 4044 bc5d 8be8 eec5 0000 0000 ..t.@D.]........ 0060: 075b cd15 0000 0001 0000 0006 6772 6567 .[..........greg 0070: 6f72 0000 0019 0000 0006 6772 6567 6f72 or........gregor 0080: 0000 000b 6772 6567 6f72 7361 6d73 6100 ....gregorsamsa. 0090: 0000 005e 0be1 0000 0000 0098 5b1c df00 ...^........[... 00a0: 0000 4b00 0000 0d66 6f72 6365 2d63 6f6d ..K....force-com 00b0: 6d61 6e64 0000 000d 0000 0009 2f62 696e mand......../bin 00c0: 2f74 7275 6500 0000 0e73 6f75 7263 652d /true....source- 00d0: 6164 6472 6573 7300 0000 1300 0000 0f31 address........1 00e0: 3237 2e30 2e30 2e30 2f38 2c3a 3a31 0000 27.0.0.0/8,::1.. 00f0: 0082 0000 0015 7065 726d 6974 2d58 3131 ......permit-X11 0100: 2d66 6f72 7761 7264 696e 6700 0000 0000 -forwarding..... 0110: 0000 1770 6572 6d69 742d 6167 656e 742d ...permit-agent- 0120: 666f 7277 6172 6469 6e67 0000 0000 0000 forwarding...... 0130: 0016 7065 726d 6974 2d70 6f72 742d 666f ..permit-port-fo 0140: 7277 6172 6469 6e67 0000 0000 0000 000a rwarding........ 0150: 7065 726d 6974 2d70 7479 0000 0000 0000 permit-pty...... 0160: 000e 7065 726d 6974 2d75 7365 722d 7263 ..permit-user-rc 0170: 0000 0000 0000 0000 0000 0033 0000 000b ...........3.... 0180: 7373 682d 6564 3235 3531 3900 0000 2044 ssh-ed25519... D 0190: 7c22 f946 0fd9 5a5e b8da 3ebe fc3d 6414 |".F..Z^..>..=d. 01a0: ca0e 1af8 e774 d140 44bc 5d8b e8ee c500 .....t.@D.]..... 01b0: 0000 5300 0000 0b73 7368 2d65 6432 3535 ..S....ssh-ed255 01c0: 3139 0000 0040 3131 1578 758b b5d8 64d5 19...@11.xu...d. 01d0: 5aad cd95 8d06 a7af eb87 6233 954c 4045 Z.........b3.L@E 01e0: 28c6 2b32 7bcf 5a9d 9193 6a9a f42b 74e1 (.+2{.Z...j..+t. 01f0: 7e37 0d4b 826e 7572 2e20 24c4 416a 7f0d ~7.K.nur. $.Aj.. 0200: 2df8 fff2 9e03 0a -...... Private certificate Miller Expires 16 December 2026 [Page 27] Internet-Draft SSH Certificate Format June 2026 0000: 0000 0010 7373 682d 6564 3235 3531 392d ....ssh-ed25519- 0010: 6365 7274 0000 0206 0000 0010 7373 682d cert........ssh- 0020: 6564 3235 3531 392d 6365 7274 0000 0020 ed25519-cert... 0030: 28d4 8ffa 9efe c6d7 65b5 f391 d05c 63f8 (.......e....\c. 0040: a2f3 d22a 51f3 d09f 4f7b 07db a2c6 83fd ...*Q...O{...... 0050: 0000 0020 447c 22f9 460f d95a 5eb8 da3e ... D|".F..Z^..> 0060: befc 3d64 14ca 0e1a f8e7 74d1 4044 bc5d ..=d......t.@D.] 0070: 8be8 eec5 0000 0000 075b cd15 0000 0001 .........[...... 0080: 0000 0006 6772 6567 6f72 0000 0019 0000 ....gregor...... 0090: 0006 6772 6567 6f72 0000 000b 6772 6567 ..gregor....greg 00a0: 6f72 7361 6d73 6100 0000 005e 0be1 0000 orsamsa....^.... 00b0: 0000 0098 5b1c df00 0000 4b00 0000 0d66 ....[.....K....f 00c0: 6f72 6365 2d63 6f6d 6d61 6e64 0000 000d orce-command.... 00d0: 0000 0009 2f62 696e 2f74 7275 6500 0000 ..../bin/true... 00e0: 0e73 6f75 7263 652d 6164 6472 6573 7300 .source-address. 00f0: 0000 1300 0000 0f31 3237 2e30 2e30 2e30 .......127.0.0.0 0100: 2f38 2c3a 3a31 0000 0082 0000 0015 7065 /8,::1........pe 0110: 726d 6974 2d58 3131 2d66 6f72 7761 7264 rmit-X11-forward 0120: 696e 6700 0000 0000 0000 1770 6572 6d69 ing........permi 0130: 742d 6167 656e 742d 666f 7277 6172 6469 t-agent-forwardi 0140: 6e67 0000 0000 0000 0016 7065 726d 6974 ng........permit 0150: 2d70 6f72 742d 666f 7277 6172 6469 6e67 -port-forwarding 0160: 0000 0000 0000 000a 7065 726d 6974 2d70 ........permit-p 0170: 7479 0000 0000 0000 000e 7065 726d 6974 ty........permit 0180: 2d75 7365 722d 7263 0000 0000 0000 0000 -user-rc........ 0190: 0000 0033 0000 000b 7373 682d 6564 3235 ...3....ssh-ed25 01a0: 3531 3900 0000 2044 7c22 f946 0fd9 5a5e 519... D|".F..Z^ 01b0: b8da 3ebe fc3d 6414 ca0e 1af8 e774 d140 ..>..=d......t.@ 01c0: 44bc 5d8b e8ee c500 0000 5300 0000 0b73 D.].......S....s 01d0: 7368 2d65 6432 3535 3139 0000 0040 3131 sh-ed25519...@11 01e0: 1578 758b b5d8 64d5 5aad cd95 8d06 a7af .xu...d.Z....... 01f0: eb87 6233 954c 4045 28c6 2b32 7bcf 5a9d ..b3.L@E(.+2{.Z. 0200: 9193 6a9a f42b 74e1 7e37 0d4b 826e 7572 ..j..+t.~7.K.nur 0210: 2e20 24c4 416a 7f0d 2df8 fff2 9e03 0000 . $.Aj..-....... 0220: 0020 447c 22f9 460f d95a 5eb8 da3e befc . D|".F..Z^..>.. 0230: 3d64 14ca 0e1a f8e7 74d1 4044 bc5d 8be8 =d......t.@D.].. 0240: eec5 0000 0040 341a d7c1 b87f 3eb5 2eb5 .....@4.....>... 0250: dd8c 4b23 5dc9 b67b 7fe4 8505 3704 6c3d ..K#]..{....7.l= 0260: c191 ba63 3133 447c 22f9 460f d95a 5eb8 ...c13D|".F..Z^. 0270: da3e befc 3d64 14ca 0e1a f8e7 74d1 4044 .>..=d......t.@D 0280: bc5d 8be8 eec5 .].... Example ssh-rsa-cert Miller Expires 16 December 2026 [Page 28] Internet-Draft SSH Certificate Format June 2026 0000: 0000 000c 7373 682d 7273 612d 6365 7274 ....ssh-rsa-cert 0010: 0000 0020 7213 39e9 f52b 3902 ed5d ebcb ... r.9..+9..].. 0020: e13d a769 bacb f5c1 b324 0721 f8bc 95a2 .=.i.....$.!.... 0030: 3e55 89d5 0000 0003 0100 0100 0001 8100 >U.............. 0040: b2e1 917d 6ee9 3029 4f41 9736 3bf5 1869 ...}n.0)OA.6;..i 0050: d6ee 1a8a ee8a a0ef 6405 5fb9 42fa 255e ........d._.B.%^ 0060: 99f7 6982 b0ba ca6c e787 a943 2a39 3827 ..i....l...C*98' 0070: d49f c7dd 4897 9522 c7f1 b2d6 cd50 3bb6 ....H..".....P;. 0080: 6930 8c9f 82e2 a6e9 6816 0315 f0f4 e002 i0......h....... 0090: c832 4981 5f3c 05c4 842f 770e 08dc 132b .2I._<.../w....+ 00a0: 312f acf9 a24f 2ab8 f7b5 bf83 6f95 5b83 1/...O*.....o.[. 00b0: 21eb e291 c323 a07d dbb0 96dd d0cf 7bf7 !....#.}......{. 00c0: 1652 3a4e 9f6d bd35 054e 4630 b73a 3be6 .R:N.m.5.NF0.:;. 00d0: 1f4d 420f b498 883e b76f 4254 ab37 33f0 .MB....>.oBT.73. 00e0: 7a89 99c2 1155 8ae1 a6e0 54e1 096b cb96 z....U....T..k.. 00f0: b368 c956 45f4 b08d f1eb ac62 ced4 4b51 .h.VE......b..KQ 0100: 24e2 2ecd 14cb 8805 3132 9c8e 2800 276a $.......12..(.'j 0110: 4f2c f9bb 0847 11c0 301f fc88 d830 3c15 O,...G..0....0<. 0120: 360f f407 d893 5310 b37e 9838 79a8 8fbe 6.....S..~.8y... 0130: fc31 7b39 a13a 0195 0e21 6678 23cf ad14 .1{9.:...!fx#... 0140: be25 31c8 f2a6 108c 3d92 cf69 0c2e af2a .%1.....=..i...* 0150: b673 ca4d 18a2 078b e726 cf41 02b3 0656 .s.M.....&.A...V 0160: fb7f aba4 6a30 7c6f ede0 5771 7afa 2206 ....j0|o..Wqz.". 0170: 9a1d 95c1 4c94 d496 a7c8 3722 bd0f 28e5 ....L.....7"..(. 0180: 244e b2c6 5307 0ec3 86a5 d0f0 26b1 b079 $N..S.......&..y 0190: 8732 c733 3966 fd10 c932 1502 3527 a779 .2.39f...2..5'.y 01a0: 26e6 5cbf ea0c 86bb 535b 8bc7 4330 7517 &.\.....S[..C0u. 01b0: fc7f 3506 2062 70d4 4598 ca7e 3777 8f13 ..5. bp.E..~7w.. 01c0: 0000 0000 075b cd15 0000 0001 0000 0006 .....[.......... 01d0: 6772 6567 6f72 0000 0019 0000 0006 6772 gregor........gr 01e0: 6567 6f72 0000 000b 6772 6567 6f72 7361 egor....gregorsa 01f0: 6d73 6100 0000 005e 0be1 0000 0000 0098 msa....^........ 0200: 5b1c df00 0000 4b00 0000 0d66 6f72 6365 [.....K....force 0210: 2d63 6f6d 6d61 6e64 0000 000d 0000 0009 -command........ 0220: 2f62 696e 2f74 7275 6500 0000 0e73 6f75 /bin/true....sou 0230: 7263 652d 6164 6472 6573 7300 0000 1300 rce-address..... 0240: 0000 0f31 3237 2e30 2e30 2e30 2f38 2c3a ...127.0.0.0/8,: 0250: 3a31 0000 0082 0000 0015 7065 726d 6974 :1........permit 0260: 2d58 3131 2d66 6f72 7761 7264 696e 6700 -X11-forwarding. 0270: 0000 0000 0000 1770 6572 6d69 742d 6167 .......permit-ag 0280: 656e 742d 666f 7277 6172 6469 6e67 0000 ent-forwarding.. 0290: 0000 0000 0016 7065 726d 6974 2d70 6f72 ......permit-por 02a0: 742d 666f 7277 6172 6469 6e67 0000 0000 t-forwarding.... 02b0: 0000 000a 7065 726d 6974 2d70 7479 0000 ....permit-pty.. 02c0: 0000 0000 000e 7065 726d 6974 2d75 7365 ......permit-use 02d0: 722d 7263 0000 0000 0000 0000 0000 0197 r-rc............ 02e0: 0000 0007 7373 682d 7273 6100 0000 0301 ....ssh-rsa..... 02f0: 0001 0000 0181 00b2 e191 7d6e e930 294f ..........}n.0)O Miller Expires 16 December 2026 [Page 29] Internet-Draft SSH Certificate Format June 2026 0300: 4197 363b f518 69d6 ee1a 8aee 8aa0 ef64 A.6;..i........d 0310: 055f b942 fa25 5e99 f769 82b0 baca 6ce7 ._.B.%^..i....l. 0320: 87a9 432a 3938 27d4 9fc7 dd48 9795 22c7 ..C*98'....H..". 0330: f1b2 d6cd 503b b669 308c 9f82 e2a6 e968 ....P;.i0......h 0340: 1603 15f0 f4e0 02c8 3249 815f 3c05 c484 ........2I._<... 0350: 2f77 0e08 dc13 2b31 2fac f9a2 4f2a b8f7 /w....+1/...O*.. 0360: b5bf 836f 955b 8321 ebe2 91c3 23a0 7ddb ...o.[.!....#.}. 0370: b096 ddd0 cf7b f716 523a 4e9f 6dbd 3505 .....{..R:N.m.5. 0380: 4e46 30b7 3a3b e61f 4d42 0fb4 9888 3eb7 NF0.:;..MB....>. 0390: 6f42 54ab 3733 f07a 8999 c211 558a e1a6 oBT.73.z....U... 03a0: e054 e109 6bcb 96b3 68c9 5645 f4b0 8df1 .T..k...h.VE.... 03b0: ebac 62ce d44b 5124 e22e cd14 cb88 0531 ..b..KQ$.......1 03c0: 329c 8e28 0027 6a4f 2cf9 bb08 4711 c030 2..(.'jO,...G..0 03d0: 1ffc 88d8 303c 1536 0ff4 07d8 9353 10b3 ....0<.6.....S.. 03e0: 7e98 3879 a88f befc 317b 39a1 3a01 950e ~.8y....1{9.:... 03f0: 2166 7823 cfad 14be 2531 c8f2 a610 8c3d !fx#....%1.....= 0400: 92cf 690c 2eaf 2ab6 73ca 4d18 a207 8be7 ..i...*.s.M..... 0410: 26cf 4102 b306 56fb 7fab a46a 307c 6fed &.A...V....j0|o. 0420: e057 717a fa22 069a 1d95 c14c 94d4 96a7 .Wqz.".....L.... 0430: c837 22bd 0f28 e524 4eb2 c653 070e c386 .7"..(.$N..S.... 0440: a5d0 f026 b1b0 7987 32c7 3339 66fd 10c9 ...&..y.2.39f... 0450: 3215 0235 27a7 7926 e65c bfea 0c86 bb53 2..5'.y&.\.....S 0460: 5b8b c743 3075 17fc 7f35 0620 6270 d445 [..C0u...5. bp.E 0470: 98ca 7e37 778f 1300 0001 9400 0000 0c72 ..~7w..........r 0480: 7361 2d73 6861 322d 3531 3200 0001 8032 sa-sha2-512....2 0490: 472d 6129 fbbb ecac 4199 4bb1 1fc7 b140 G-a)....A.K....@ 04a0: d857 2214 b4dc 1e5e 8712 0d43 d176 4647 .W"....^...C.vFG 04b0: 137a 58f5 c4ec c12c 6c94 615e c9fe 0fbc .zX....,l.a^.... 04c0: 895f a618 2076 486b e421 24e2 eafb a186 ._.. vHk.!$..... 04d0: d729 4052 47d5 c858 17a7 0292 83dc 27e4 .)@RG..X......'. 04e0: b310 5220 611d 04e0 4bab 0591 3fb6 fc5d ..R a...K...?..] 04f0: 3b7d acf4 f32b a1d4 b16a bae3 0316 27e7 ;}...+...j....'. 0500: 5fb0 34ed 608f a1c0 dc31 d253 7807 5c08 _.4.`....1.Sx.\. 0510: 2806 b412 6265 ec78 51c7 473c 7d77 e4c1 (...be.xQ.G<}w.. 0520: db8b 4876 d0d5 f479 e721 63d6 cfde 754b ..Hv...y.!c...uK 0530: 1f59 7db1 5dbc d281 5ca5 dac7 4ab5 3dc3 .Y}.]...\...J.=. 0540: 3cef 211c 1b15 be36 442b cf29 e906 cbc2 <.!....6D+.).... 0550: 0c84 040b 1b9d 4b22 dca8 fd88 2e42 5089 ......K".....BP. 0560: 9606 158f a499 a057 948e e49a f612 b3fb .......W........ 0570: 3490 71b7 cfa9 f8c2 9bc4 c596 8466 4776 4.q..........fGv 0580: c265 47dc 43d7 4741 1fb3 2231 21e6 e5c7 .eG.C.GA.."1!... 0590: 92c8 f637 d1c0 2c53 0d04 0281 8593 26ad ...7..,S......&. 05a0: c004 4f40 ee2a efef fdba 1b60 dfe9 187f ..O@.*.....`.... 05b0: 55e7 829d 4a6b e97b 94ae fe3d 8518 36ea U...Jk.{...=..6. 05c0: d829 1665 af4a 2f52 03be 78de 8cf7 9861 .).e.J/R..x....a 05d0: 83ac 1347 2ab6 2ec4 5e2b f103 16f5 bc4d ...G*...^+.....M 05e0: 1ba4 9e5d 14d4 ed5a 0e78 e76a 1e55 8d3c ...]...Z.x.j.U.< 05f0: 58fc 4b01 726f 1a8e 56dd 86d4 16a7 fcea X.K.ro..V....... Miller Expires 16 December 2026 [Page 30] Internet-Draft SSH Certificate Format June 2026 0600: 9d0f 009f 5b30 2719 cf83 4334 7045 c10a ....[0'...C4pE.. Private certificate 0000: 0000 000c 7373 682d 7273 612d 6365 7274 ....ssh-rsa-cert 0010: 0000 060f 0000 000c 7373 682d 7273 612d ........ssh-rsa- 0020: 6365 7274 0000 0020 7213 39e9 f52b 3902 cert... r.9..+9. 0030: ed5d ebcb e13d a769 bacb f5c1 b324 0721 .]...=.i.....$.! 0040: f8bc 95a2 3e55 89d5 0000 0003 0100 0100 ....>U.......... 0050: 0001 8100 b2e1 917d 6ee9 3029 4f41 9736 .......}n.0)OA.6 0060: 3bf5 1869 d6ee 1a8a ee8a a0ef 6405 5fb9 ;..i........d._. 0070: 42fa 255e 99f7 6982 b0ba ca6c e787 a943 B.%^..i....l...C 0080: 2a39 3827 d49f c7dd 4897 9522 c7f1 b2d6 *98'....H..".... 0090: cd50 3bb6 6930 8c9f 82e2 a6e9 6816 0315 .P;.i0......h... 00a0: f0f4 e002 c832 4981 5f3c 05c4 842f 770e .....2I._<.../w. 00b0: 08dc 132b 312f acf9 a24f 2ab8 f7b5 bf83 ...+1/...O*..... 00c0: 6f95 5b83 21eb e291 c323 a07d dbb0 96dd o.[.!....#.}.... 00d0: d0cf 7bf7 1652 3a4e 9f6d bd35 054e 4630 ..{..R:N.m.5.NF0 00e0: b73a 3be6 1f4d 420f b498 883e b76f 4254 .:;..MB....>.oBT 00f0: ab37 33f0 7a89 99c2 1155 8ae1 a6e0 54e1 .73.z....U....T. 0100: 096b cb96 b368 c956 45f4 b08d f1eb ac62 .k...h.VE......b 0110: ced4 4b51 24e2 2ecd 14cb 8805 3132 9c8e ..KQ$.......12.. 0120: 2800 276a 4f2c f9bb 0847 11c0 301f fc88 (.'jO,...G..0... 0130: d830 3c15 360f f407 d893 5310 b37e 9838 .0<.6.....S..~.8 0140: 79a8 8fbe fc31 7b39 a13a 0195 0e21 6678 y....1{9.:...!fx 0150: 23cf ad14 be25 31c8 f2a6 108c 3d92 cf69 #....%1.....=..i 0160: 0c2e af2a b673 ca4d 18a2 078b e726 cf41 ...*.s.M.....&.A 0170: 02b3 0656 fb7f aba4 6a30 7c6f ede0 5771 ...V....j0|o..Wq 0180: 7afa 2206 9a1d 95c1 4c94 d496 a7c8 3722 z.".....L.....7" 0190: bd0f 28e5 244e b2c6 5307 0ec3 86a5 d0f0 ..(.$N..S....... 01a0: 26b1 b079 8732 c733 3966 fd10 c932 1502 &..y.2.39f...2.. 01b0: 3527 a779 26e6 5cbf ea0c 86bb 535b 8bc7 5'.y&.\.....S[.. 01c0: 4330 7517 fc7f 3506 2062 70d4 4598 ca7e C0u...5. bp.E..~ 01d0: 3777 8f13 0000 0000 075b cd15 0000 0001 7w.......[...... 01e0: 0000 0006 6772 6567 6f72 0000 0019 0000 ....gregor...... 01f0: 0006 6772 6567 6f72 0000 000b 6772 6567 ..gregor....greg 0200: 6f72 7361 6d73 6100 0000 005e 0be1 0000 orsamsa....^.... 0210: 0000 0098 5b1c df00 0000 4b00 0000 0d66 ....[.....K....f 0220: 6f72 6365 2d63 6f6d 6d61 6e64 0000 000d orce-command.... 0230: 0000 0009 2f62 696e 2f74 7275 6500 0000 ..../bin/true... 0240: 0e73 6f75 7263 652d 6164 6472 6573 7300 .source-address. 0250: 0000 1300 0000 0f31 3237 2e30 2e30 2e30 .......127.0.0.0 0260: 2f38 2c3a 3a31 0000 0082 0000 0015 7065 /8,::1........pe 0270: 726d 6974 2d58 3131 2d66 6f72 7761 7264 rmit-X11-forward 0280: 696e 6700 0000 0000 0000 1770 6572 6d69 ing........permi 0290: 742d 6167 656e 742d 666f 7277 6172 6469 t-agent-forwardi 02a0: 6e67 0000 0000 0000 0016 7065 726d 6974 ng........permit 02b0: 2d70 6f72 742d 666f 7277 6172 6469 6e67 -port-forwarding Miller Expires 16 December 2026 [Page 31] Internet-Draft SSH Certificate Format June 2026 02c0: 0000 0000 0000 000a 7065 726d 6974 2d70 ........permit-p 02d0: 7479 0000 0000 0000 000e 7065 726d 6974 ty........permit 02e0: 2d75 7365 722d 7263 0000 0000 0000 0000 -user-rc........ 02f0: 0000 0197 0000 0007 7373 682d 7273 6100 ........ssh-rsa. 0300: 0000 0301 0001 0000 0181 00b2 e191 7d6e ..............}n 0310: e930 294f 4197 363b f518 69d6 ee1a 8aee .0)OA.6;..i..... 0320: 8aa0 ef64 055f b942 fa25 5e99 f769 82b0 ...d._.B.%^..i.. 0330: baca 6ce7 87a9 432a 3938 27d4 9fc7 dd48 ..l...C*98'....H 0340: 9795 22c7 f1b2 d6cd 503b b669 308c 9f82 ..".....P;.i0... 0350: e2a6 e968 1603 15f0 f4e0 02c8 3249 815f ...h........2I._ 0360: 3c05 c484 2f77 0e08 dc13 2b31 2fac f9a2 <.../w....+1/... 0370: 4f2a b8f7 b5bf 836f 955b 8321 ebe2 91c3 O*.....o.[.!.... 0380: 23a0 7ddb b096 ddd0 cf7b f716 523a 4e9f #.}......{..R:N. 0390: 6dbd 3505 4e46 30b7 3a3b e61f 4d42 0fb4 m.5.NF0.:;..MB.. 03a0: 9888 3eb7 6f42 54ab 3733 f07a 8999 c211 ..>.oBT.73.z.... 03b0: 558a e1a6 e054 e109 6bcb 96b3 68c9 5645 U....T..k...h.VE 03c0: f4b0 8df1 ebac 62ce d44b 5124 e22e cd14 ......b..KQ$.... 03d0: cb88 0531 329c 8e28 0027 6a4f 2cf9 bb08 ...12..(.'jO,... 03e0: 4711 c030 1ffc 88d8 303c 1536 0ff4 07d8 G..0....0<.6.... 03f0: 9353 10b3 7e98 3879 a88f befc 317b 39a1 .S..~.8y....1{9. 0400: 3a01 950e 2166 7823 cfad 14be 2531 c8f2 :...!fx#....%1.. 0410: a610 8c3d 92cf 690c 2eaf 2ab6 73ca 4d18 ...=..i...*.s.M. 0420: a207 8be7 26cf 4102 b306 56fb 7fab a46a ....&.A...V....j 0430: 307c 6fed e057 717a fa22 069a 1d95 c14c 0|o..Wqz.".....L 0440: 94d4 96a7 c837 22bd 0f28 e524 4eb2 c653 .....7"..(.$N..S 0450: 070e c386 a5d0 f026 b1b0 7987 32c7 3339 .......&..y.2.39 0460: 66fd 10c9 3215 0235 27a7 7926 e65c bfea f...2..5'.y&.\.. 0470: 0c86 bb53 5b8b c743 3075 17fc 7f35 0620 ...S[..C0u...5. 0480: 6270 d445 98ca 7e37 778f 1300 0001 9400 bp.E..~7w....... 0490: 0000 0c72 7361 2d73 6861 322d 3531 3200 ...rsa-sha2-512. 04a0: 0001 8032 472d 6129 fbbb ecac 4199 4bb1 ...2G-a)....A.K. 04b0: 1fc7 b140 d857 2214 b4dc 1e5e 8712 0d43 ...@.W"....^...C 04c0: d176 4647 137a 58f5 c4ec c12c 6c94 615e .vFG.zX....,l.a^ 04d0: c9fe 0fbc 895f a618 2076 486b e421 24e2 ....._.. vHk.!$. 04e0: eafb a186 d729 4052 47d5 c858 17a7 0292 .....)@RG..X.... 04f0: 83dc 27e4 b310 5220 611d 04e0 4bab 0591 ..'...R a...K... 0500: 3fb6 fc5d 3b7d acf4 f32b a1d4 b16a bae3 ?..];}...+...j.. 0510: 0316 27e7 5fb0 34ed 608f a1c0 dc31 d253 ..'._.4.`....1.S 0520: 7807 5c08 2806 b412 6265 ec78 51c7 473c x.\.(...be.xQ.G< 0530: 7d77 e4c1 db8b 4876 d0d5 f479 e721 63d6 }w....Hv...y.!c. 0540: cfde 754b 1f59 7db1 5dbc d281 5ca5 dac7 ..uK.Y}.]...\... 0550: 4ab5 3dc3 3cef 211c 1b15 be36 442b cf29 J.=.<.!....6D+.) 0560: e906 cbc2 0c84 040b 1b9d 4b22 dca8 fd88 ..........K".... 0570: 2e42 5089 9606 158f a499 a057 948e e49a .BP........W.... 0580: f612 b3fb 3490 71b7 cfa9 f8c2 9bc4 c596 ....4.q......... 0590: 8466 4776 c265 47dc 43d7 4741 1fb3 2231 .fGv.eG.C.GA.."1 05a0: 21e6 e5c7 92c8 f637 d1c0 2c53 0d04 0281 !......7..,S.... 05b0: 8593 26ad c004 4f40 ee2a efef fdba 1b60 ..&...O@.*.....` Miller Expires 16 December 2026 [Page 32] Internet-Draft SSH Certificate Format June 2026 05c0: dfe9 187f 55e7 829d 4a6b e97b 94ae fe3d ....U...Jk.{...= 05d0: 8518 36ea d829 1665 af4a 2f52 03be 78de ..6..).e.J/R..x. 05e0: 8cf7 9861 83ac 1347 2ab6 2ec4 5e2b f103 ...a...G*...^+.. 05f0: 16f5 bc4d 1ba4 9e5d 14d4 ed5a 0e78 e76a ...M...]...Z.x.j 0600: 1e55 8d3c 58fc 4b01 726f 1a8e 56dd 86d4 .U. 07c0: 677c 55a7 0678 3dc2 251b fb93 53ce e960 g|U..x=.%...S..` 07d0: 9a2b afb1 7ac2 9482 2f90 c565 7556 5166 .+..z.../..euVQf 07e0: 6b59 fcae 748a 53f3 b795 0439 cbb4 14ed kY..t.S....9.... 07f0: 739a b3a5 c2d1 ac58 e3d5 72b4 68f2 c5e5 s......X..r.h... 0800: bd65 208c 8939 3efe d7f2 58dc 9edf 4e75 .e ..9>...X...Nu 0810: 1833 85c4 3bc8 6e47 9eda 2606 c6fb 0255 .3..;.nG..&....U 0820: 24a6 fa11 34da 41e4 9384 7024 3a13 928c $...4.A...p$:... 0830: ca13 4267 efdf 7ab2 0970 486b fc46 caba ..Bg..z..pHk.F.. 0840: 60bd cb1b cca7 5dbf b2c0 c85c b430 7a0b `.....]....\.0z. 0850: 1856 d7a2 b3fc b399 30ec 4d60 0991 d2a8 .V......0.M`.... 0860: 442e a930 4d2d f85d 6443 9500 0000 c100 D..0M-.]dC...... 0870: f5e2 dadb cd2a 8bf3 3522 ff42 0561 628b .....*..5".B.ab. 0880: 9068 b402 7517 a8e2 411d d44b 888b ee29 .h..u...A..K...) 0890: 5fde 4263 81a9 f593 d617 aaa5 c398 1a94 _.Bc............ 08a0: 937f a387 626c 4a1e c835 6858 c57f 52e5 ....blJ..5hX..R. 08b0: 05f2 cabb f97d 0d07 7d38 071a a409 2277 .....}..}8...."w Miller Expires 16 December 2026 [Page 33] Internet-Draft SSH Certificate Format June 2026 08c0: 79df 1e4a 4d15 cbf1 f3f4 6324 34b8 85d6 y..JM.....c$4... 08d0: 67b8 cd99 c156 afc4 f7c1 730c 9e4f 879f g....V....s..O.. 08e0: 9932 6762 bcd4 4705 ed36 2db4 0993 14f5 .2gb..G..6-..... 08f0: 84a3 ba52 31fc b6b8 80a4 b950 267f 0426 ...R1......P&..& 0900: c280 e1b4 4dbb 61a1 6e36 4ed3 225e 38a9 ....M.a.n6N."^8. 0910: c8d7 2f61 8b4b e824 3b4f ae0f 74e7 8b28 ../a.K.$;O..t..( 0920: a28e 09a0 f83e 5b00 dbc7 dd15 d12b af81 .....>[......+.. 0930: 0000 00c1 00ba 3d29 0aac 5ded d5aa 49a4 ......=)..]...I. 0940: 9282 b5af f719 8059 c3c4 5e97 baf8 b9bc .......Y..^..... 0950: abb1 94af e5b2 0d91 103e 9991 8247 2054 .........>...G T 0960: 0575 e313 1d65 d607 125b a2b7 c0ff cc01 .u...e...[...... 0970: 776e c582 ab4a e5b0 6d7a 81b1 c8b3 fca8 wn...J..mz...... 0980: f8b8 090e 7183 9d4e 7bf7 2c4a d19a 51e5 ....q..N{.,J..Q. 0990: cc3b 6b98 c5bc 59a9 6fc2 682a c2dc f080 .;k...Y.o.h*.... 09a0: f478 156a 9a90 9e4e 5f80 af7a a9da 0457 .x.j...N_..z...W 09b0: e8a3 e95a 4520 27f7 73c9 942a 27c7 9102 ...ZE '.s..*'... 09c0: 60b8 b51d 51d9 3a0b 0b06 9e8b 9d02 406a `...Q.:.......@j 09d0: 8cdf 9b1c 8670 0a64 6e06 6016 d878 4953 .....p.dn.`..xIS 09e0: 9121 cc61 8ba8 96b6 acf9 ac51 0b33 5961 .!.a.......Q.3Ya 09f0: 24ec c5c8 93 $.... Example ecdsa-sha2-nistp256-cert Miller Expires 16 December 2026 [Page 34] Internet-Draft SSH Certificate Format June 2026 0000: 0000 0018 6563 6473 612d 7368 6132 2d6e ....ecdsa-sha2-n 0010: 6973 7470 3235 362d 6365 7274 0000 0020 istp256-cert... 0020: 569e e207 4580 0c0c 9d29 89d5 cee9 4ceb V...E....)....L. 0030: 0770 ea4f fac8 09e2 c64e f5a0 0a20 3a2a .p.O.....N... :* 0040: 0000 0008 6e69 7374 7032 3536 0000 0041 ....nistp256...A 0050: 046f d32e 1565 4d0d 5722 096c be53 b07a .o...eM.W".l.S.z 0060: ea84 0ec1 dc1d d453 c1d9 17ae 2305 e3cf .......S....#... 0070: 9089 5a0e 020e fc4f 2005 cb55 e4a6 dfa1 ..Z....O ..U.... 0080: 0b33 d307 057f 0a20 c0e7 3b89 0f91 bf12 .3..... ..;..... 0090: e300 0000 0007 5bcd 1500 0000 0100 0000 ......[......... 00a0: 0667 7265 676f 7200 0000 1900 0000 0667 .gregor........g 00b0: 7265 676f 7200 0000 0b67 7265 676f 7273 regor....gregors 00c0: 616d 7361 0000 0000 5e0b e100 0000 0000 amsa....^....... 00d0: 985b 1cdf 0000 004b 0000 000d 666f 7263 .[.....K....forc 00e0: 652d 636f 6d6d 616e 6400 0000 0d00 0000 e-command....... 00f0: 092f 6269 6e2f 7472 7565 0000 000e 736f ./bin/true....so 0100: 7572 6365 2d61 6464 7265 7373 0000 0013 urce-address.... 0110: 0000 000f 3132 372e 302e 302e 302f 382c ....127.0.0.0/8, 0120: 3a3a 3100 0000 8200 0000 1570 6572 6d69 ::1........permi 0130: 742d 5831 312d 666f 7277 6172 6469 6e67 t-X11-forwarding 0140: 0000 0000 0000 0017 7065 726d 6974 2d61 ........permit-a 0150: 6765 6e74 2d66 6f72 7761 7264 696e 6700 gent-forwarding. 0160: 0000 0000 0000 1670 6572 6d69 742d 706f .......permit-po 0170: 7274 2d66 6f72 7761 7264 696e 6700 0000 rt-forwarding... 0180: 0000 0000 0a70 6572 6d69 742d 7074 7900 .....permit-pty. 0190: 0000 0000 0000 0e70 6572 6d69 742d 7573 .......permit-us 01a0: 6572 2d72 6300 0000 0000 0000 0000 0000 er-rc........... 01b0: 6800 0000 1365 6364 7361 2d73 6861 322d h....ecdsa-sha2- 01c0: 6e69 7374 7032 3536 0000 0008 6e69 7374 nistp256....nist 01d0: 7032 3536 0000 0041 046f d32e 1565 4d0d p256...A.o...eM. 01e0: 5722 096c be53 b07a ea84 0ec1 dc1d d453 W".l.S.z.......S 01f0: c1d9 17ae 2305 e3cf 9089 5a0e 020e fc4f ....#.....Z....O 0200: 2005 cb55 e4a6 dfa1 0b33 d307 057f 0a20 ..U.....3..... 0210: c0e7 3b89 0f91 bf12 e300 0000 6400 0000 ..;.........d... 0220: 1365 6364 7361 2d73 6861 322d 6e69 7374 .ecdsa-sha2-nist 0230: 7032 3536 0000 0049 0000 0021 00d6 6898 p256...I...!..h. 0240: bbb6 cd2b 0806 d341 052c 2cba a9f0 f732 ...+...A.,,....2 0250: b9e9 8532 23b1 7089 157a 0705 0200 0000 ...2#.p..z...... 0260: 203b 7985 c189 2b34 f184 076b 52a5 39d4 ;y...+4...kR.9. 0270: 54bb ed88 7b7f 6449 ff63 e46c 26e3 00e1 T...{.dI.c.l&... 0280: 0a0a .. Private certificate Miller Expires 16 December 2026 [Page 35] Internet-Draft SSH Certificate Format June 2026 0000: 0000 0018 6563 6473 612d 7368 6132 2d6e ....ecdsa-sha2-n 0010: 6973 7470 3235 362d 6365 7274 0000 0281 istp256-cert.... 0020: 0000 0018 6563 6473 612d 7368 6132 2d6e ....ecdsa-sha2-n 0030: 6973 7470 3235 362d 6365 7274 0000 0020 istp256-cert... 0040: 569e e207 4580 0c0c 9d29 89d5 cee9 4ceb V...E....)....L. 0050: 0770 ea4f fac8 09e2 c64e f5a0 0a20 3a2a .p.O.....N... :* 0060: 0000 0008 6e69 7374 7032 3536 0000 0041 ....nistp256...A 0070: 046f d32e 1565 4d0d 5722 096c be53 b07a .o...eM.W".l.S.z 0080: ea84 0ec1 dc1d d453 c1d9 17ae 2305 e3cf .......S....#... 0090: 9089 5a0e 020e fc4f 2005 cb55 e4a6 dfa1 ..Z....O ..U.... 00a0: 0b33 d307 057f 0a20 c0e7 3b89 0f91 bf12 .3..... ..;..... 00b0: e300 0000 0007 5bcd 1500 0000 0100 0000 ......[......... 00c0: 0667 7265 676f 7200 0000 1900 0000 0667 .gregor........g 00d0: 7265 676f 7200 0000 0b67 7265 676f 7273 regor....gregors 00e0: 616d 7361 0000 0000 5e0b e100 0000 0000 amsa....^....... 00f0: 985b 1cdf 0000 004b 0000 000d 666f 7263 .[.....K....forc 0100: 652d 636f 6d6d 616e 6400 0000 0d00 0000 e-command....... 0110: 092f 6269 6e2f 7472 7565 0000 000e 736f ./bin/true....so 0120: 7572 6365 2d61 6464 7265 7373 0000 0013 urce-address.... 0130: 0000 000f 3132 372e 302e 302e 302f 382c ....127.0.0.0/8, 0140: 3a3a 3100 0000 8200 0000 1570 6572 6d69 ::1........permi 0150: 742d 5831 312d 666f 7277 6172 6469 6e67 t-X11-forwarding 0160: 0000 0000 0000 0017 7065 726d 6974 2d61 ........permit-a 0170: 6765 6e74 2d66 6f72 7761 7264 696e 6700 gent-forwarding. 0180: 0000 0000 0000 1670 6572 6d69 742d 706f .......permit-po 0190: 7274 2d66 6f72 7761 7264 696e 6700 0000 rt-forwarding... 01a0: 0000 0000 0a70 6572 6d69 742d 7074 7900 .....permit-pty. 01b0: 0000 0000 0000 0e70 6572 6d69 742d 7573 .......permit-us 01c0: 6572 2d72 6300 0000 0000 0000 0000 0000 er-rc........... 01d0: 6800 0000 1365 6364 7361 2d73 6861 322d h....ecdsa-sha2- 01e0: 6e69 7374 7032 3536 0000 0008 6e69 7374 nistp256....nist 01f0: 7032 3536 0000 0041 046f d32e 1565 4d0d p256...A.o...eM. 0200: 5722 096c be53 b07a ea84 0ec1 dc1d d453 W".l.S.z.......S 0210: c1d9 17ae 2305 e3cf 9089 5a0e 020e fc4f ....#.....Z....O 0220: 2005 cb55 e4a6 dfa1 0b33 d307 057f 0a20 ..U.....3..... 0230: c0e7 3b89 0f91 bf12 e300 0000 6400 0000 ..;.........d... 0240: 1365 6364 7361 2d73 6861 322d 6e69 7374 .ecdsa-sha2-nist 0250: 7032 3536 0000 0049 0000 0021 00d6 6898 p256...I...!..h. 0260: bbb6 cd2b 0806 d341 052c 2cba a9f0 f732 ...+...A.,,....2 0270: b9e9 8532 23b1 7089 157a 0705 0200 0000 ...2#.p..z...... 0280: 203b 7985 c189 2b34 f184 076b 52a5 39d4 ;y...+4...kR.9. 0290: 54bb ed88 7b7f 6449 ff63 e46c 26e3 00e1 T...{.dI.c.l&... 02a0: 0a00 0000 2042 8814 0f41 9139 42d7 8d8d .... B...A.9B... 02b0: 140f 56da e177 95cd b29f f08d a4b8 614e ..V..w........aN 02c0: e22e 0b69 ee ...i. Author's Address Miller Expires 16 December 2026 [Page 36] Internet-Draft SSH Certificate Format June 2026 Damien Miller OpenSSH Email: djm@openssh.com URI: https://www.openssh.com/ Miller Expires 16 December 2026 [Page 37]