An SSH certificate is a mechanism for one SSH key to sign another SSH key. If you use an SSH certificate authority (CA) to provide your organization members with signed SSH certificates, you can add the CA to your enterprise account or organization to allow organization members to use their certificates to access organization resources. For more information, see "Managing your organization's SSH certificate authorities."
After you add an SSH CA to your organization or enterprise account, you can use the CA to sign client SSH certificates for organization members. Organization members can use the signed certificates to access your organization's repositories (and only your organization's repositories) with Git. You can require that members use SSH certificates to access organization resources. For more information, see "Enforcing policies for security settings in your enterprise."
For example, you can build an internal system that issues a new certificate to your developers every morning. Each developer can use their daily certificate to work on your organization's repositories on GitHub Enterprise Server. At the end of the day, the certificate can automatically expire, protecting your repositories if the certificate is later compromised.
Members will not be able to use their certificates to access forks of your repositories that are owned by their user accounts.
When you issue each certificate, you must include an extension that specifies which GitHub Enterprise Server user the certificate is for. For example, you can use OpenSSH's
ssh-keygen command, replacing KEY-IDENTITY with your key identity and USERNAME with a GitHub Enterprise Server username. The certificate you generate will be authorized to act on behalf of that user for any of your organization's resources. Make sure you validate the user's identity before you issue the certificate.
$ ssh-keygen -s ./ca-key -I KEY-IDENTITY -O extension:login@[hostname]=USERNAME ./user-key.pub
To issue a certificate for someone who uses SSH to access multiple GitHub products, you can include two login extensions to specify the username for each product. For example, the following command would issue a certificate for USERNAME-1 for the user's account for GitHub Enterprise Cloud, and USERNAME-2 for the user's account on GitHub AE or GitHub Enterprise Server at HOSTNAME.
$ ssh-keygen -s ./ca-key -I KEY-IDENTITY -O extension:firstname.lastname@example.org=USERNAME-1 extension:login@HOSTNAME=USERNAME-2 ./user-key.pub
You can restrict the IP addresses from which an organization member can access your organization's resources by using a
source-address extension. The extension accepts a specific IP address or a range of IP addresses using CIDR notation. You can specify multiple addresses or ranges by separating the values with commas. For more information, see "Classless Inter-Domain Routing" on Wikipedia.
$ ssh-keygen -s ./ca-key -I KEY-IDENTITY -O extension:login@[hostname]=USERNAME -O source-address=COMMA-SEPARATED-LIST-OF-IP-ADDRESSES-OR-RANGES ./user-key.pub
To prevent authentication errors, organization members should use a special URL that includes the organization ID to clone repositories using signed certificates. Anyone with read access to the repository can find this URL on the repository page. For more information, see "Cloning a repository."