#ssh #yubikey #certs #certificates


A library for parsing, verifying, and creating SSH Certificates

28 releases

0.12.1 Nov 10, 2023
0.12.0 May 19, 2023
0.11.1 May 8, 2022
0.10.1 Feb 1, 2022
0.3.14 Mar 18, 2021

#133 in Authentication

Download history 613/week @ 2023-08-11 682/week @ 2023-08-18 611/week @ 2023-08-25 377/week @ 2023-09-01 629/week @ 2023-09-08 725/week @ 2023-09-15 505/week @ 2023-09-22 580/week @ 2023-09-29 525/week @ 2023-10-06 541/week @ 2023-10-13 897/week @ 2023-10-20 1057/week @ 2023-10-27 961/week @ 2023-11-03 1102/week @ 2023-11-10 664/week @ 2023-11-17 599/week @ 2023-11-24

3,587 downloads per month

Custom license



sshcerts (formerly rustica-keys) is a library for parsing, creating, and signing OpenSSH certificates. It was originally based on rust-sshkeys by @dnaeon but has been significantly expanded to offer a greater writer API, certificate signature validation, issuing new certificates, parsing encrypted private keys, and more.

This library contains other optional functionality for Yubikey key management. The Yubikey management module can be used to provision slot with keys that can never leave the device and SSH module for SSH signatures backed by a Yubikey. To enable this functionality use the feature yubikey-support.

This library attempts to keep as few dependencies as possible so many features are gated behind features. For example, RSA certificates can be read in and verified but not created unless the rsa-signing feature is used.

Support for encrypted private keys in available with the encrypted-keys features.

Finally there is the x509 module for doing some strange things like getting the SSH public key from an x509 certificate. This is automatically included when using the Yubikey feature but can be enabled separately with x509-support


macOS and Ubuntu Builds

API Stability

The API for this crate should not be considered stable and expect breaking changes between versions.

Security Warning

No review has been done. I built it because I thought people could find it useful. Be wary about using this in production without doing a thorough code review.

Yubikey Benchmarks

Yubikeys are not fast HSMs so running infra generating many certificates per second is going to be a challenge. I have benchmarked several kinds with both 256 and 384 bit ECDSA keys. The results are below:

ECDSA256 ECDSA384 Notes
4C FIPS <4.4.5> - - Requires pin on sign
Nano 4C <4.3.7> 9.14 6.35
Nano 5C <5.2.4> 10.58 7.10
5 NFC <5.2.7> 10.93 7.20
5Ci <5.2.4> 10.94 7.22

This shows 5s are about 15% faster than 4s but between 5s is mostly a wash. Loading the same key on multiple Yubikeys would provide a multiplicative speed up (equal to number of keys) but if you need that many signatures per second, Yubikeys are probably not the way to go.


This software is provided under the MIT licence so you may use it basically however you wish so long as all distributions and derivatives (source and binary) include the copyright from the LICENSE.


~323K SLoC