docs/documentation/platform/pam/guides/ssh-certificate-auth.mdx
This guide walks through setting up SSH certificate authentication. Instead of managing passwords or SSH keys, Infisical mints a short-lived certificate for each session — valid only for that session, so there's nothing to rotate or revoke.
<Tabs>
<Tab title="Automated Setup">
Copy the setup command from the account page and run it on your server. The script downloads the CA public key, configures sshd to trust it, and restarts the service.
</Tab>
<Tab title="Manual Setup">
1. Copy the **CA Public Key** from the account page
2. Save it to `/etc/ssh/infisical_ca.pub` on the server
3. Add to sshd_config: `TrustedUserCAKeys /etc/ssh/infisical_ca.pub`
4. Restart sshd: `sudo systemctl restart sshd`
</Tab>
</Tabs>
Verify the setup:
```bash
sudo sshd -T | grep trustedusercakeys
```
1. Go to **Privileged Access Management → My Access**
2. Find the account and click **Launch**