docs/documentation/platform/dynamic-secrets/ssh.mdx
The Infisical SSH dynamic secret allows you to generate ephemeral SSH certificates on demand, signed by an auto-generated Certificate Authority (CA). Instead of distributing static SSH keys, each lease produces a short-lived private key and a signed certificate that expires automatically.
When you create an SSH dynamic secret, Infisical generates an internal CA key pair. Target hosts are configured to trust this CA. When a lease is requested, Infisical generates an ephemeral key pair, signs the public key with the CA, and returns the private key and signed certificate. The certificate expires when the lease TTL ends — no manual key rotation or revocation needed.
<ParamField path="Default TTL" type="string" required>
Default time-to-live for a generated certificate (e.g. `1h`, `8h`)
</ParamField>
<ParamField path="Max TTL" type="string" required>
Maximum time-to-live for a generated certificate
</ParamField>
<ParamField path="Allowed Principals" type="list" required>
The usernames this dynamic secret can issue certificates for (e.g. `ubuntu`, `deploy`, `root`). When creating a lease, the requester selects a subset of these principals.
</ParamField>
<ParamField path="Key Algorithm" type="string" required>
Algorithm for the ephemeral key pairs generated per lease. Supported options: **ED25519** (default, recommended), **RSA 2048**, **RSA 4096**, **ECDSA P-256**, **ECDSA P-384**.
</ParamField>
- **Automated setup**: A `curl | sudo bash` command that installs the CA certificate, configures `TrustedUserCAKeys` in `sshd_config`, and restarts the SSH service.
- **Manual setup**: The raw CA public key, which you can reveal and copy to install manually on target hosts.
<Note>
You must configure your target SSH servers to trust the CA before certificate-based authentication will work. This only needs to be done once per host.
</Note>
Run the provided command on each target host:
```bash
curl -H "Authorization: Bearer <your-token>" "https://<your-infisical-url>/api/v1/dynamic-secrets/ssh-ca-setup/<dynamic-secret-id>" | sudo bash
```
This script will:
- Write the CA public key to `/etc/ssh/infisical_ca.pub`
- Add `TrustedUserCAKeys /etc/ssh/infisical_ca.pub` to `/etc/ssh/sshd_config`
- Validate the SSH configuration and restart the SSH service
**Option B — Manual setup**
1. Copy the CA public key (available via the eye icon in the setup modal or the edit form)
2. Save it to `/etc/ssh/infisical_ca.pub` on the target host
3. Add the following line to `/etc/ssh/sshd_config`:
```
TrustedUserCAKeys /etc/ssh/infisical_ca.pub
```
4. Restart the SSH service
You can also retrieve the CA public key programmatically:
```bash
curl -H "Authorization: Bearer <your-token>" "https://<your-infisical-url>/api/v1/dynamic-secrets/ssh-ca-public-key/<dynamic-secret-id>"
```
This returns a JSON response: `{ "caPublicKey": "ssh-ed25519 AAAA..." }`
When generating a lease, you will need to provide:
<ParamField path="TTL" type="string" required>
How long the certificate should be valid for. Must be within the Max TTL configured on the dynamic secret.
</ParamField>
<ParamField path="Principals" type="list" required>
One or more usernames (from the allowed principals) that the certificate should be valid for.
</ParamField>
Once you click **Submit**, a new lease will be generated containing:
- **Private Key** — the ephemeral SSH private key (downloadable as `key.pem`)
- **Signed Certificate** — the SSH certificate signed by the CA (downloadable as `cert.pub`)
Both can be downloaded or copied directly from the UI.
<Warning>
Copy or download these credentials immediately. You will not be able to see them again after closing the modal.
</Warning>
```bash
# Set private key permissions
chmod 600 key.pem
# Connect to the target host
ssh -i key.pem -o CertificateFile=cert.pub <principal>@<hostname>
```
Replace `<principal>` with one of the principals included in the certificate and `<hostname>` with the target host address.
Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard.
This will allow you to see the expiration time of the lease or delete the lease before its set time to live.
<Note> SSH certificates are time-bound and expire automatically. Revoking a lease in Infisical removes the record, but the certificate remains valid until its TTL expires. </Note>To update the configuration of an existing SSH dynamic secret (principals, key algorithm, TTL, or to access the CA setup options), click on the dynamic secret item and select Edit.