Sharkey is a service for managing certificates for use by OpenSSH.


The server component accepts requests and issues short lived host certificates.

Clients send their public key to the server (via TLS with mutual authentication) periodically. The server authenticates the client by checking that its certificate is valid for the requested hostname. If everything looks good, the server will take the public key in the request and issue an OpenSSH host certificate for the requested hostname.

A log of all issued certificates is stored in a database. The server can generate a known_hosts file from the issuance log if required.


The client component periodically requests a new host certificate from the server and installs it on the machine.

The client will use a TLS client certificate to make a connection to the server and authenticate itself. This assumes that there is a long-lived certificate and key installed on each machine that uses the client. We then periodically read the host key for the locally running OpenSSH (host_key), send it to the server, and retrieve a signed host certificate based on that key. The signed host certificate is then installed on the machine (signed_cert).