You can allow members to access your organization's repositories using SSH certificates you provide by adding an SSH CA to your organization. You can require that members use SSH certificates to access organization resources, unless SSH is disabled in your repository. For more information, see About SSH certificate authorities.
Note
To use SSH certificate authorities, your organization must use GitHub Enterprise Cloud. For more information about how you can try GitHub Enterprise Cloud for free, see "Setting up a trial of GitHub Enterprise Cloud."
When you issue each client certificate, you must include an extension that specifies which GitHub Enterprise Cloud user the certificate is for. For more information, see "About SSH certificate authorities."
Adding an SSH certificate authority
If you require SSH certificates for your enterprise, enterprise members should use a special URL for Git operations over SSH. For more information, see About SSH certificate authorities.
Each certificate authority can only be uploaded to one account on GitHub Enterprise Cloud. If an SSH certificate authority has been added to an organization or enterprise account, you cannot add the same certificate authority to another organization or enterprise account on GitHub Enterprise Cloud.
If you add one certificate authority to an enterprise and another certificate authority to an organization in the enterprise, either certificate authority can be used to access the organization's repositories.
-
In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
-
Next to the organization, click Settings.
-
In the "Security" section of the sidebar, click Authentication security.
-
To the right of "SSH Certificate Authorities", click New CA.
-
Under "Key," paste your public SSH key.
-
Click Add CA.
-
Optionally, to require members to use SSH certificates, select Require SSH Certificates, then click Save.
Note
When you require SSH certificates, users will not be able to authenticate to access the organization's repositories over HTTPS or with an unsigned SSH key, regardless of whether the SSH key is authorized for an organization that requires authentication through an external identity system.
The requirement does not apply to authorized GitHub Apps (including user-to-server tokens), deploy keys, or to GitHub features such as GitHub Actions and Codespaces, which are trusted environments within the GitHub ecosystem.
Deleting an SSH certificate authority
- In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
- Next to the organization, click Settings.
- In the "Security" section of the sidebar, click Authentication security.
- Under "SSH Certificate Authorities", to the right of the CA you want to delete, click Delete.
- Read the warning, then click I understand, please delete this CA.
Upgrading an SSH certificate authority
CAs uploaded to your organization prior to March 27th, 2024, allow the use of non-expiring certificates. To learn more about why expirations are now required for new CAs, see About SSH certificate authorities. You can upgrade an existing CA to prevent it from issuing non-expiring certificates. For best security, we strongly recommend upgrading all your CAs once you validate you're not reliant on non-expiring certificates.
- In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
- Next to the organization, click Settings.
- In the "Security" section of the sidebar, click Authentication security.
- Under "SSH Certificate Authorities", to the right of the CA you want to upgrade, click Upgrade.
- Read the warning, then click Upgrade.
After upgrading the CA, non-expiring certificates signed by that CA will be rejected.