Problems using signed certificates for SSH connections

Hello, I’m trying to implement authentication using signed certificates to manage the VMs in my virtualization infrastructure.

As explained in the Vault documentation, i supplied both the signed public key from Vault and the corresponding private key as authentication to the SSH call but I’m asked for the password to the private key…

ssh -i ~/.ssh/ -i ~/.ssh/id_rsa_admin-mshe root@geo -vvv

Here’s an extract of the ssh command result in debug mode:

debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/ RSA-CERT SHA256:IvgAcQNkDPIB9b2RD2FtZ4PPy8VODUe5jcAVa1Q6hOQ explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /root/.ssh/ RSA-CERT SHA256:IvgAcQNkDPIB9b2RD2FtZ4PPy8VODUe5jcAVa1Q6hOQ explicit
debug3: sign_and_send_pubkey: using publickey with RSA-CERT SHA256:IvgAcQNkDPIB9b2RD2FtZ4PPy8VODUe5jcAVa1Q6hOQ
debug2: sign_and_send_pubkey: using private key "/root/.ssh/id_rsa_admin-mshe" for certificate
debug3: sign_and_send_pubkey: signing using SHA256:IvgAcQNkDPIB9b2RD2FtZ4PPy8VODUe5jcAVa1Q6hOQ
Enter passphrase for key '/root/.ssh/id_rsa_admin-mshe': 

The public key used is named; it is associated with the private key id_rsa_admin-mshe; and the key signed by Vault is named

If I understand correctly, the signed key ( is accepted by ssh (type 60).

root@nfs1-server: # ls -l /root/.ssh/
-rw------- 1 root root   2655 Dec 26 18:12 id_rsa_admin-mshe
-rw-r--r-- 1 root root    570 Dec 26 18:12
-rw-r--r-- 1 root root   2298 Dec 27 16:41

The public key seems to have been signed correctly, as shown by the keygen command:

root@nfs1-server: # ssh-keygen -Lf ~/.ssh/
        Type: user certificate
        Public key: RSA-CERT SHA256:IvgAcQNkDPIB9b2RD2FtZ4PPy8VODUe5jcAVa1Q6hOQ
        Signing CA: RSA SHA256:ABJjcEVJa0ANUy+iamLpETKsNH5Waz0JuB9DiROq19Q (using rsa-sha2-256)
        Key ID: "vault-token-Ernest-Root-22f8007103640cf201f5bd910f616d6783cfcbc54e0d47b98dc0156b543a84e4"
        Serial: 3280763784699459784
        Valid: from 2023-12-27T16:41:16 to 2023-12-27T17:11:46
        Critical Options: (none)

Obviously, I don’t want to use a bash agent to make this ssh connection, which is the whole point of signed certificates. But why on earth does it ask for the passphrase of the private key?

Have I missed something in my meticulous follow-up of the documentation? Thank you in advance for your help.


Looks like you password protected the pvt key, now is asking for the password.