Class Certificate

Namespace

Renci.SshNet.Security

Assembly

Renci.SshNet.dll

Represents an OpenSSH certificate as described in https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys.

public class Certificate

Inheritance

object

Certificate

Inherited Members

object.Equals(object?)

object.Equals(object?, object?)

object.GetHashCode()

object.GetType()

object.MemberwiseClone()

object.ReferenceEquals(object?, object?)

object.ToString()

Constructors

Certificate(byte[])

Initializes a new instance of the Renci.SshNet.Security.Certificate class based on the data encoded in data.

public Certificate(byte[] data)

Parameters

data byte[]

The encoded public-key certificate data.

Properties

CertificateAuthorityKey

The CA key used to sign the certificate. The valid key types for CA keys are ssh-rsa, ssh-dss, ssh-ed25519 and the ECDSA types ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained" certificates, where the signature key type is a certificate type itself are NOT supported. Note that it is possible for a RSA certificate key to be signed by a Ed25519 or ECDSA CA key and vice-versa.

public byte[] CertificateAuthorityKey { get; }

Property Value

byte[]

CertificateAuthorityKeyFingerPrint

Gets the SHA256 fingerprint of the certificate authority key in the same format as the ssh command, i.e. non-padded base64, but without the SHA256: prefix.

public string CertificateAuthorityKeyFingerPrint { get; }

Property Value

string

Examples

ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og.

CriticalOptions

A set of zero or more options on the certificate's validity. The key identifies the option and the value encodes option-specific information. All such options are "critical" in the sense that an implementation must refuse to authorise a key that has an unrecognised option.

public IDictionary<string, string> CriticalOptions { get; }

Property Value

IDictionary<string, string>

Extensions

A set of zero or more optional extensions. These extensions are not critical, and an implementation that encounters one that it does not recognise may safely ignore it.

public IDictionary<string, string> Extensions { get; }

Property Value

IDictionary<string, string>

Key

The public key that has been certified by the certificate authority.

public Key Key { get; }

Property Value

Key

KeyId

A free-form text field that is filled in by the CA at the time of signing; the intention is that the contents of this field are used to identify the identity principal in log messages.

public string KeyId { get; }

Property Value

string

Name

The type identifier of the certificate.

public string Name { get; }

Property Value

string

Remarks

The value is one of the following:

• ssh-rsa-cert-v01@openssh.com
• ssh-dss-cert-v01@openssh.com
• ecdsa-sha2-nistp256-cert-v01@openssh.com
• ecdsa-sha2-nistp384-cert-v01@openssh.com
• ecdsa-sha2-nistp521-cert-v01@openssh.com
• ssh-ed25519-cert-v01@openssh.com

Nonce

A CA-provided random bitstring of arbitrary length (but typically 16 or 32 bytes) included to make attacks that depend on inducing collisions in the signature hash infeasible.

public byte[] Nonce { get; }

Property Value

byte[]

Serial

An optional certificate serial number set by the CA to provide an abbreviated way to refer to certificates from that CA. If a CA does not wish to number its certificates, it must set this field to zero.

public ulong Serial { get; }

Property Value

ulong

Signature

The signature computed over all preceding fields from the initial string up to, and including the signature key. Signatures are computed and encoded according to the rules defined for the CA's public key algorithm (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA types, and RFC8032 for Ed25519).

public byte[] Signature { get; }

Property Value

byte[]

Type

Specifies whether this certificate is for identification of a user or a host.

public Certificate.CertificateType Type { get; }

Property Value

Certificate.CertificateType

ValidAfter

The beginning of the validity period of the certificate.

public DateTimeOffset ValidAfter { get; }

Property Value

DateTimeOffset

ValidAfterUnixSeconds

The beginning of the validity period of the certificate, as the number of seconds elapsed since 1970-01-01T00:00:00Z.

public ulong ValidAfterUnixSeconds { get; }

Property Value

ulong

See Also

Certificate.ValidAfter

ValidBefore

The end of the validity period of the certificate.

public DateTimeOffset ValidBefore { get; }

Property Value

DateTimeOffset

ValidBeforeUnixSeconds

The end of the validity period of the certificate, as the number of seconds elapsed since 1970-01-01T00:00:00Z.

public ulong ValidBeforeUnixSeconds { get; }

Property Value

ulong

ValidPrincipals

The names for which this certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and usernames for SSH_CERT_TYPE_USER certificates. As a special case, a zero-length "valid principals" field means the certificate is valid for any principal of the specified type.

public IList<string> ValidPrincipals { get; }

Property Value

IList<string>