> 3) # ssh -i /root/.ssh/id_rsa-cert.pub localhost This is wrong -i should be given the private key, so: # ssh -i /root/.ssh/id_rsa localhost now it will find the -cert.pub automatically and use this without asking for a passphrase Also before you use certificates operational, you should disable the normal publickeys in authorized_keys by setting the AuthorizedKeysFile to /dev/null in the sshd_config See : https://bugzilla.mindrot.org/show_bug.cgi?id=1764 Hans certificate setup example: CA user: 1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate Server(s): 2) make sure your sshd_config has TrustedUserCAKeys assigned TrustedUserCAKeys /etc/ssh/trusted_cakeys # or whatever name or location you like 3) edit /etc/ssh/trusted_cakeys and add the contents of ca_rsa.pub in it 4) Disable in sshd_config AuthorizedKeysFile and point it to /dev/null to prevent normal public keys to work. (preferrable in match user/group section of sshd_config) CA user: 4) for a user generate a certificate of its public key with some limitations ssh-keygen -s ca_rsa -I keyid -n jimmy --V +2w1d id_rsa.pub This will generate an id_rsa-cert.pub certificate file which is valid for 15 days Jimmy: 5) put his id_rsa-cert.pub in its ~/.ssh directory ssh jimmy@server # connect to server using the certificate