Skip to main content
This guide walks through setting up SSH certificate authentication. Instead of managing passwords or SSH keys, Infisical mints a short-lived certificate for each session — valid only for that session, so there’s nothing to rotate or revoke.

Prerequisites

  • Admin access to the folder where you’ll create the account
  • Root/sudo access on the target server
  • The server must be reachable from your Gateway

Steps

1

Create the SSH Account

  1. Go to Privileged Access Management → Accounts and click Add Account
  2. Select your folder and an SSH template
  3. Fill in the connection details (host, port, username)
  4. Set Authentication Method to Certificate
  5. Click Create
2

Configure the Server

Open the account you just created. You’ll see a CA Setup section.
Copy the setup command from the account page and run it on your server. The script downloads the CA public key, configures sshd to trust it, and restarts the service.
Verify the setup:
sudo sshd -T | grep trustedusercakeys
3

Connect

Your team can now connect from My Access — either in the browser or using the CLI proxy.
  1. Go to Privileged Access Management → My Access
  2. Find the account and click Launch

Why Certificates?

  • No static credentials to rotate or leak
  • Short-lived and valid only for the session
  • Per-account CAs so compromising one doesn’t affect others
  • Automatic key management for users

Next Steps

Sessions

View SSH session recordings.

Team Access Guide

Grant team access to databases.