import { Link } from "react-router-dom"; import { Button } from "@/components/ui/button"; import { Card, CardContent } from "@/components/ui/card"; import { Terminal, FileKey, Clock, Users, Eye, ShieldCheck, ArrowRight, CheckCircle2, Server, Key, Copy, RefreshCw, Lock, } from "lucide-react"; const benefits = [ { icon: Clock, title: "Short-Lived by Design", description: "Certificates expire in minutes or hours. No more managing key rotation schedules or dealing with stale keys.", }, { icon: Eye, title: "Complete Audit Trail", description: "Every certificate issuance and SSH connection is logged. Know exactly who accessed what, when.", }, { icon: Users, title: "Identity-Linked Access", description: "Certificates are tied to verified user identities. No more anonymous shared accounts.", }, { icon: ShieldCheck, title: "Instant Revocation", description: "Disable a user and their certificates become useless. No more hunting for keys on servers.", }, ]; const howItWorks = [ { step: "01", title: "Register SSH Public Key", description: "Users register their SSH public key in Secuird. This is a one-time setup—no private keys are ever stored.", code: "ssh-keygen -t ed25519", }, { step: "02", title: "Request a Certificate", description: "When users need to connect, they request a certificate. Secuird verifies their identity and issues a short-lived cert.", code: "ssh secuird.example.com sign", }, { step: "03", title: "Connect Normally", description: "Use standard SSH to connect to servers. The certificate is automatically used for authentication.", code: "ssh user@server.example.com", }, { step: "04", title: "Automatic Expiration", description: "The certificate expires automatically. Users request new certificates as needed—no manual key rotation.", code: "# Certificate auto-expires", }, ]; const comparisonFeatures = [ { feature: "Key Lifetime", static: "Permanent — keys never expire", cert: "Minutes to hours — auto-expiration" }, { feature: "Key Rotation", static: "Manual process, error-prone", cert: "Automatic with each certificate" }, { feature: "Audit Trail", static: "No visibility into usage", cert: "Full chain of custody logged" }, { feature: "Revocation", static: "Must reach all servers manually", cert: "Disable user — instant globally" }, { feature: "Access Control", static: "Manual key distribution to servers", cert: "Group-based policies, self-service" }, { feature: "Identity Link", static: "Anonymous — no user verification", cert: "Tied to verified corporate identity" }, { feature: "Onboarding", static: "Admin copies keys to every server", cert: "User registers key once, self-service" }, { feature: "Offboarding", static: "Hunt and remove keys from servers", cert: "Disable user — all certs invalidated" }, ]; const useCases = [ { title: "Engineering Teams", description: "Engineers get SSH access based on team membership. New team members get access automatically.", features: ["Department-based principals", "Self-service certificate issuance", "Full audit trail for compliance"], }, { title: "Infrastructure Teams", description: "Manage SSH access to production servers with fine-grained control and complete visibility.", features: ["Host certificates for servers", "Bastion host support", "Production access policies"], }, { title: "Security Teams", description: "Eliminate the security risks of static SSH keys while maintaining complete visibility.", features: ["Certificate expiration alerts", "Anomaly detection", "Compliance reporting"], }, ]; export default function SSHCertificatesPage() { return ( <> {/* Hero */}
SSH Certificate Authority

Eliminate SSH Key Chaos With Short-Lived Certificates

Replace permanent SSH keys with short-lived certificates tied to verified identities. Works with standard OpenSSH—no custom clients needed.

Terminal 
                  
{`# Request SSH certificate
$ ssh user@securd.example.com sign

✓ Identity verified
✓ Certificate issued
✓ Valid for 1 hour

# Connect to server
$ ssh user@prod-server-01
Welcome to prod-server-01!
Last login: Mon 10:32 from 192.168.1.100

# Certificate auto-expires
# No key rotation needed`}
{/* Benefits */}

Why SSH Certificates?

Static SSH keys create security risks and operational headaches. Certificates solve both.

{benefits.map((benefit) => (

{benefit.title}

{benefit.description}

 ))}
{/* How It Works */}

How It Works

No custom clients required. Works with standard OpenSSH on servers and user machines.

{howItWorks.map((step) => (
{step.step}

{step.title}

{step.description}

                  {step.code}
))}

The only requirement is OpenSSH 5.6+ on both client and server. Works on Linux, macOS, and most Unix systems.

{/* Static Keys vs Certificates */}

Static Keys vs. Certificates

See why organizations are switching from static SSH keys to certificate-based authentication.

{comparisonFeatures.map((row) => ( ))}
Feature Static SSH Keys SSH Certificates
{row.feature} {row.static} {row.cert}
{/* Use Cases */}

Use Cases

SSH certificates work for teams of all sizes and across different use cases.

{useCases.map((useCase) => (

{useCase.title}

{useCase.description}

    {useCase.features.map((feature) => (
  • {feature}
    • ))}
))}
{/* Server Setup */}
Server Configuration

Simple Server Setup

Configure your servers to trust the Secuird CA. One configuration change, and all your servers accept certificates.

    {[ "Works with standard OpenSSH", "No custom server software needed", "One-time CA key distribution", "Host certificates for server verification", ].map((item) => (
  • {item}
    • ))}
/etc/ssh/sshd_config 
                  
{`# Trust Secuird CA for user authentication
TrustedUserCAKeys /etc/ssh/securd_user_ca.pub

# (Optional) Use host certificates
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
TrustedUserCAKeys /etc/ssh/securd_host_ca.pub

# Restart SSH to apply changes
$ systemctl restart sshd`}
{/* Deployment Guide */}
Deployment Guide

Deploy to Your Servers

One-time setup per server. The script below installs the CA key, configures principal-based access, and reloads SSH — all in a single idempotent run.

1

Get your CA public key

In the Secuird dashboard, go to Certificate Authorities and copy the User CA public key from the detail card.

2

Decide the Unix user and principal

Each server has a local Unix user (e.g. ubuntu, deploy, root) that SSH sessions connect to. Choose which principal (from your Secuird configuration) should be allowed to log in as that user.

3

Run the setup script

SSH into the server and run the script below as root. Paste your CA public key, set the Unix user and principal, then execute.

deploy.sh 
                        
{`#!/usr/bin/env bash
set -euo pipefail

CA_KEY=''
UNIX_USER="ubuntu"           # ← change to the server's unix user
PRINCIPAL="" # ← change to the principal for this user

CA_FILE="/etc/ssh/trusted_user_ca"
PRINCIPALS_DIR="/etc/ssh/auth_principals"
SSHD_DROP_IN="/etc/ssh/sshd_config.d/99-ca-auth.conf"

if [[ "$(id -u)" -ne 0 ]]; then
  echo "error: must be run as root" >&2
  exit 1
fi

install -m 0644 -o root -g root /dev/null "\${CA_FILE}"
echo "\${CA_KEY}" > "\${CA_FILE}"

install -d -m 0755 -o root -g root "\${PRINCIPALS_DIR}"
install -m 0644 -o root -g root /dev/null "\${PRINCIPALS_DIR}/\${UNIX_USER}"
echo "\${PRINCIPAL}" > "\${PRINCIPALS_DIR}/\${UNIX_USER}"

install -d -m 0755 -o root -g root "/etc/ssh/sshd_config.d"
install -m 0600 -o root -g root /dev/null "\${SSHD_DROP_IN}"
cat > "\${SSHD_DROP_IN}" </dev/null || systemctl reload sshd
  echo "done — CA trust and principal '\${PRINCIPAL}' configured for '\${UNIX_USER}'"
else
  echo "error: sshd configuration test failed — SSH was NOT reloaded" >&2
  exit 1
fi`}
4

Verify the configuration

The script validates sshd -t before reloading — if you see "done" at the end, everything is working. To double-check, run: 

                    {`ssh -T user@your-server    # should succeed without a password prompt`}

Repeat on every server. Once the CA key is trusted, any user with a valid Secuird-signed certificate for the matching principal can connect — no more distributing individual SSH keys to each server.

{/* Features Deep Dive */}

Powerful Features

Everything you need to manage SSH access at scale.

{[ { icon: Key, title: "Multiple CAs", description: "Create separate CAs for different environments—production, staging, development.", }, { icon: Users, title: "Principal Mapping", description: "Map users to principals based on group membership. Automatic access based on teams.", }, { icon: Clock, title: "Custom Validity", description: "Set certificate validity per CA. Hours for production, days for development.", }, { icon: Copy, title: "One-Time Setup", description: "Users register their public key once. No private keys ever touch our servers.", }, { icon: RefreshCw, title: "Self-Service", description: "Users request and receive certificates themselves. No admin intervention needed.", }, { icon: Lock, title: "Instant Revocation", description: "Disable a user and all their certificates become invalid immediately.", }, ].map((feature) => (

{feature.title}

{feature.description}

 ))}
{/* CTA */}

Ready to Modernize SSH Access?

Start your free trial today. Set up your first SSH CA in minutes and see the difference certificates make.

); }