Skip to main content
GitHub AE is currently under limited release.

Enforcing policies for security settings in your enterprise

You can enforce policies to manage security settings in your enterprise's organizations, or allow policies to be set in each organization.

Who can use this feature

Enterprise owners can enforce policies for security settings in an enterprise.

About policies for security settings in your enterprise

You can enforce policies to control the security settings for organizations owned by your enterprise on GitHub AE. By default, organization owners can manage security settings.

Managing SSH certificate authorities for your enterprise

You can use a SSH certificate authorities (CA) to allow members of any organization owned by your enterprise to access that organization's repositories using SSH certificates you provide. You can require that members use SSH certificates to access organization resources, unless SSH is disabled in your repository. For more information, see "About SSH certificate authorities."

When you issue each client certificate, you must include an extension that specifies which GitHub AE user the certificate is for. For more information, see "About SSH certificate authorities."

Adding an SSH certificate authority

If you require SSH certificates for your enterprise, enterprise members should use a special URL for Git operations over SSH. For more information, see "About SSH certificate authorities."

  1. In the top-right corner of GitHub AE, click your profile photo, then click Enterprise settings. "Enterprise settings" in drop-down menu for profile photo on GitHub AE

  2. In the enterprise account sidebar, click Settings.

  3. Under Settings, click Authentication security.

  4. To the right of "SSH Certificate Authorities", click New CA. New CA button

  5. Under "Key," paste your public SSH key. Key field to add CA

  6. Click Add CA.

  7. Optionally, to require members to use SSH certificates, select Require SSH Certificates, then click Save. Require SSH Certificate checkbox and save button

    Note: When you require SSH certificates, the requirement does not apply to authorized OAuth Apps and GitHub Apps or to GitHub features such as GitHub Actions, which are trusted environments within the GitHub ecosystem.

Deleting an SSH certificate authority

Deleting a CA cannot be undone. If you want to use the same CA in the future, you'll need to upload the CA again.

  1. In the top-right corner of GitHub AE, click your profile photo, then click Enterprise settings. "Enterprise settings" in drop-down menu for profile photo on GitHub AE

  2. In the enterprise account sidebar, click Settings.

  3. Under Settings, click Authentication security.

  4. Under "SSH Certificate Authorities", to the right of the CA you want to delete, click Delete. Delete button

  5. Read the warning, then click I understand, please delete this CA. Delete confirmation button

Further reading