What's Actually Happening
You're using SSH certificates (not regular keys) for authentication, and your certificate has passed its validity period. SSH certificates have a built-in expiration date set when the certificate was signed, and the server rejects any certificate past this date.
The Error You'll See
When attempting to connect:
Permission denied (publickey).With verbose output:
debug1: Offering public key: /home/user/.ssh/id_rsa-cert.pub RSA-CERT SHA256:abc123...
debug1: Server accepts key: pkalg rsa-sha2-512-cert blen 1234
debug1: Certificate invalid: expired
debug1: try_pubkey_path: checking in /home/user/.ssh/authorized_keys
debug1: No more authentication methods to try.
Permission denied (publickey).In server logs:
sshd[1234]: error: Certificate signature invalid: expired
sshd[1234]: Failed publickey for username from 192.168.1.50 port 54321 ssh2Why This Happens
SSH certificates include validity periods:
- Valid: from 2024-01-01T00:00:00 to 2024-12-31T23:59:59
- The Certificate Authority (CA) sets expiration dates during signing
- Certificates automatically become invalid after expiration
- No password change or key regeneration extends certificate validity
- The certificate must be re-signed by the CA
Step 1: Check Certificate Expiration
View your certificate's validity period:
ssh-keygen -Lf ~/.ssh/id_rsa-cert.pubOr for ed25519:
ssh-keygen -Lf ~/.ssh/id_ed25519-cert.pubLook for the validity line:
Valid: from 2024-01-01T00:00:00 to 2024-06-30T23:59:59If the current date is past the "to" date, the certificate is expired.
Step 2: Check the Current Date
Ensure your system clock is correct:
dateA misconfigured clock can make valid certificates appear expired.
If the clock is wrong, synchronize it:
sudo ntpdate -s pool.ntp.orgOr:
sudo timedatectl set-ntp trueStep 3: Identify the Certificate Authority
Find out who signed your certificate:
ssh-keygen -Lf ~/.ssh/id_rsa-cert.pub | grep -A1 "Public Key"The output shows the CA that signed it:
Type: ssh-rsa-cert-v01@openssh.com user certificate
Public key: RSA-CERT CA 256 SHA256:xyz...
Signing CA: RSA SHA256:xyz...Contact your CA administrator or locate the CA key.
Step 4: Request New Certificate from CA
Submit your public key (not private key) to the CA:
# Your public key (not the certificate)
cat ~/.ssh/id_rsa.pubOr generate a certificate signing request:
# Some organizations use a request format
ssh-keygen -f ~/.ssh/id_rsa -s ca_key -I "username@host" -V +52w ~/.ssh/id_rsa.pubThe CA administrator runs:
ssh-keygen -s ca_key -I "user_identity" -V +52w -n username user_key.pubThis creates a new user_key-cert.pub with a 52-week validity.
Step 5: Self-Sign Certificate (If You Have CA Access)
If you have access to the CA key:
# Sign for 1 year
ssh-keygen -s /path/to/ca_key -I "username@host" -V +52w -n username ~/.ssh/id_rsa.pubOptions explained:
- -s ca_key - The CA private key
- -I "identity" - Key identifier for logging
- -V +52w - Valid for 52 weeks
- -n username - Principal (user) name
Step 6: Install the New Certificate
Copy the new certificate to your .ssh directory:
cp id_rsa-cert.pub ~/.ssh/id_rsa-cert.pubEnsure correct permissions:
chmod 644 ~/.ssh/id_rsa-cert.pubStep 7: Verify New Certificate
Check the new certificate's validity:
ssh-keygen -Lf ~/.ssh/id_rsa-cert.pubConfirm the new expiration date is in the future.
Step 8: Configure SSH to Use Certificate
Ensure your SSH config uses the certificate:
Host server.example.com
IdentityFile ~/.ssh/id_rsa
CertificateFile ~/.ssh/id_rsa-cert.pubOr let SSH auto-detect (certificate must be named id_rsa-cert.pub for id_rsa key).
Verify the Fix
Test the connection:
ssh -v username@serverLook for successful certificate authentication:
debug1: Offering public key: /home/user/.ssh/id_rsa-cert.pub RSA-CERT SHA256:abc...
debug1: Server accepts key: pkalg rsa-sha2-256-cert blen 279
debug1: Authentication succeeded (publickey).For ongoing management, set up reminders before certificate expiration:
# Check certificate expiry (add to cron or calendar)
ssh-keygen -Lf ~/.ssh/id_rsa-cert.pub | grep ValidConsider implementing certificate monitoring with tools like: - Automated email alerts before expiration - Self-service certificate renewal systems - Short-lived certificates with automated renewal