SSH access is ubiquitous — It’s how engineers, scripts, and platforms across the world remotely administer Linux systems. That said, as teams and systems grow, managing access with static SSH keys becomes brittle and issues like key sprawl, unclear boundaries, and poor revocation hygiene start to emerge. SSH certificates offer an alternative approach to securing and managing access at scale.

What is an SSH Certificate?

An SSH certificate is a short-lived, signed credential that proves a user or host’s identity. Unlike static SSH keys, which are distributed and managed manually, SSH certificates rely on a centralized certificate authority (CA) to vouch for identities. There are two types of SSH certificates:
  • User certificates: Issued to users to authenticate with remote hosts
  • Host certificates: Issued to hosts so clients can verify they’re trusted
Because certificates are time-bound and centrally managed, they’re easier to audit, revoke, and scale across infrastructure.

SSH with Infisical

Infisical SSH gives you a secure, scalable way to manage infrastructure access using SSH certificates — without the overhead of running your own certificate authority, wiring trust across hosts, or building issuance workflows from scratch. It replaces long-lived SSH keys with short-lived, identity-bound certificates and handles all the moving parts for you: operating CAs, configuring trust between users and hosts, and issuing certificates on demand. With Infisical SSH, you can register a host with infisical ssh add-host, then connect with infisical ssh connect — that’s all it takes. The result is centralized, auditable SSH access that’s easy to use and built to scale with your infrastructure.