import { Link } from "react-router-dom"; import { Button } from "@/components/ui/button"; import { Card, CardContent } from "@/components/ui/card"; import { Terminal, FileKey, Clock, Users, Eye, ShieldCheck, ArrowRight, CheckCircle2, Server, Key, Copy, RefreshCw, Lock, } from "lucide-react"; const benefits = [ { icon: Clock, title: "Short-Lived by Design", description: "Certificates expire in minutes or hours. No more managing key rotation schedules or dealing with stale keys.", }, { icon: Eye, title: "Complete Audit Trail", description: "Every certificate issuance and SSH connection is logged. Know exactly who accessed what, when.", }, { icon: Users, title: "Identity-Linked Access", description: "Certificates are tied to verified user identities. No more anonymous shared accounts.", }, { icon: ShieldCheck, title: "Instant Revocation", description: "Disable a user and their certificates become useless. No more hunting for keys on servers.", }, ]; const howItWorks = [ { step: "01", title: "Register SSH Public Key", description: "Users register their SSH public key in Secuird. This is a one-time setup—no private keys are ever stored.", code: "ssh-keygen -t ed25519", }, { step: "02", title: "Request a Certificate", description: "When users need to connect, they request a certificate. Secuird verifies their identity and issues a short-lived cert.", code: "ssh secuird.example.com sign", }, { step: "03", title: "Connect Normally", description: "Use standard SSH to connect to servers. The certificate is automatically used for authentication.", code: "ssh user@server.example.com", }, { step: "04", title: "Automatic Expiration", description: "The certificate expires automatically. Users request new certificates as needed—no manual key rotation.", code: "# Certificate auto-expires", }, ]; const comparisonFeatures = [ { feature: "Lifetime", static: "Permanent", cert: "Minutes to hours" }, { feature: "Rotation", static: "Manual, error-prone", cert: "Automatic" }, { feature: "Auditability", static: "None", cert: "Full chain of custody" }, { feature: "Revocation", static: "Distribute to all servers", cert: "Disable user" }, { feature: "Access Control", static: "Manual key distribution", cert: "Group-based policies" }, { feature: "Identity Link", static: "Anonymous", cert: "Verified identity" }, { feature: "Onboarding", static: "Copy keys manually", cert: "Self-service" }, { feature: "Offboarding", static: "Hunt and remove keys", cert: "Instant revocation" }, ]; const useCases = [ { title: "Engineering Teams", description: "Engineers get SSH access based on team membership. New team members get access automatically.", features: ["Department-based principals", "Self-service certificate issuance", "Full audit trail for compliance"], }, { title: "Infrastructure Teams", description: "Manage SSH access to production servers with fine-grained control and complete visibility.", features: ["Host certificates for servers", "Bastion host support", "Production access policies"], }, { title: "Security Teams", description: "Eliminate the security risks of static SSH keys while maintaining complete visibility.", features: ["Certificate expiration alerts", "Anomaly detection", "Compliance reporting"], }, ]; export default function SSHCertificatesPage() { return ( <> {/* Hero */}
SSH Certificate Authority

Eliminate SSH Key Chaos With Short-Lived Certificates

Replace permanent SSH keys with short-lived certificates tied to verified identities. Works with standard OpenSSH—no custom clients needed.

Terminal 
                  
{`# Request SSH certificate
$ ssh user@securd.example.com sign

✓ Identity verified
✓ Certificate issued
✓ Valid for 1 hour

# Connect to server
$ ssh user@prod-server-01
Welcome to prod-server-01!
Last login: Mon 10:32 from 192.168.1.100

# Certificate auto-expires
# No key rotation needed`}
{/* Benefits */}

Why SSH Certificates?

Static SSH keys create security risks and operational headaches. Certificates solve both.

{benefits.map((benefit) => (

{benefit.title}

{benefit.description}

 ))}
{/* How It Works */}

How It Works

No custom clients required. Works with standard OpenSSH on servers and user machines.

{howItWorks.map((step) => (
{step.step}

{step.title}

{step.description}

                  {step.code}
))}

The only requirement is OpenSSH 5.6+ on both client and server. Works on Linux, macOS, and most Unix systems.

{/* Static Keys vs Certificates */}

Static Keys vs. Certificates

See why organizations are switching from static SSH keys to certificate-based authentication.

{comparisonFeatures.map((row) => ( ))}
Feature Static SSH Keys SSH Certificates
{row.feature} {row.static} {row.cert}
{/* Use Cases */}

Use Cases

SSH certificates work for teams of all sizes and across different use cases.

{useCases.map((useCase) => (

{useCase.title}

{useCase.description}

    {useCase.features.map((feature) => (
  • {feature}
    • ))}
))}
{/* Server Setup */}
Server Configuration

Simple Server Setup

Configure your servers to trust the Secuird CA. One configuration change, and all your servers accept certificates.

    {[ "Works with standard OpenSSH", "No custom server software needed", "One-time CA key distribution", "Host certificates for server verification", ].map((item) => (
  • {item}
    • ))}
/etc/ssh/sshd_config 
                  
{`# Trust Secuird CA for user authentication
TrustedUserCAKeys /etc/ssh/securd_user_ca.pub

# (Optional) Use host certificates
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
TrustedUserCAKeys /etc/ssh/securd_host_ca.pub

# Restart SSH to apply changes
$ systemctl restart sshd`}
{/* Features Deep Dive */}

Powerful Features

Everything you need to manage SSH access at scale.

{[ { icon: Key, title: "Multiple CAs", description: "Create separate CAs for different environments—production, staging, development.", }, { icon: Users, title: "Principal Mapping", description: "Map users to principals based on group membership. Automatic access based on teams.", }, { icon: Clock, title: "Custom Validity", description: "Set certificate validity per CA. Hours for production, days for development.", }, { icon: Copy, title: "One-Time Setup", description: "Users register their public key once. No private keys ever touch our servers.", }, { icon: RefreshCw, title: "Self-Service", description: "Users request and receive certificates themselves. No admin intervention needed.", }, { icon: Lock, title: "Instant Revocation", description: "Disable a user and all their certificates become invalid immediately.", }, ].map((feature) => (

{feature.title}

{feature.description}

 ))}
{/* CTA */}

Ready to Modernize SSH Access?

Start your free trial today. Set up your first SSH CA in minutes and see the difference certificates make.

); }