Rotate OpenSSH Certificates on AWS Amazon Linux or Ubuntu

Rotate OpenSSH Certificates on AWS Amazon Linux or Ubuntu

OpenSSH certificates are used to authenticate you against your server, so you can log in to administer your server. It’s a good idea to rotate OpenSSH certificates occasionally, in case they’ve someone been released or compromised. This isn’t something AWS can do for you, so you have to do it manually.

Rotating AWS access keys is also important, but AWS covers that here.

I also have an article on how to create an AWS User to create an AWS User to enable FTP access.

Here’s how I replaced my existing OpenSSH certificates with new certificates. Comments are inline below. This works on Amazon Linux, Ubuntu, and probably most other similar distributions.

Before You Start – Take a Backup!

Before you start, you should take a snapshot of your EBS volume. That way if something goes wrong you can easily roll back. Backups are important!

The Process

To get started, you assume the credentials of the user you want to rotate the credentials of

# Log in as root
sudo su
# Assume the credentials of the user who you want to
su - username

Next you generate a new certificate pair
# Generate a new certificate pair
ssh-keygen -f rsa

Now you can either replace the existing certificate, or add to the existing additional certificates. It’s probably best to first add the new certificate, test you can log in using it, then delete the old certificates.

Note that the public key stays on the instance, the private key is transferred to your computer to allow you to authenticate yourself.
# Option 1) If you want to add this key and keep the existing keys
cat rsa.pub >> ~/.ssh/authorized_keys

# Once you've tested it, open the authorized keys and delete and that aren't required
vi ~/.ssh/authorized_keys


# Option 2 - replace keys with just this one
mv rsa.pub ~/.ssh/authorized_keys

Now copy the private key to your computer, save it as “certificate_name_version.pem”, and convert it to putty format if you need to.

Copy and paste the output of this command into a private / secure part of your computer. Use PuttyGen.exe to load the pem file, then hit “save private key” to save it as a putty ppk.
# View the certificate, then copy and paste to your computer
more rsa

You're all done! If you have problems comment below and I'll help if I can.

Facebook Comments

Leave a Reply

Your email address will not be published.