Hi Roumen, I changed config files as you said and now it works, thanks for help! But I am in doubt if the way it works now is the right one. I had to copy clients public key to authorized_keys file on server machine, and servers public key to known_hosts file on client machine. It seems pretty much as usual PKI authentication now, except that client and server send certificates to each other. Is that possible by any way to avoid public key storage and just use certificates validation? Like if certificate is OK – no need to have public key from this certificate in authorized_key or known_hosts. Thank you, Adriana.