Fork me on GitHub


Using Teleport's Certificate Authority with GitHub


Teleport supports exporting user SSH certificates with configurable key extensions. This allows the Teleport CA to be used in conjunction with GitHub's support for SSH Certificate Authorities. This way, users can access their organizations' repositories with short-lived, signed SSH certificates.


  • The Teleport Auth Service and Proxy Service v10.3.1, either self hosted or deployed on Teleport Cloud.
  • The GitHub SSO authentication connector. For more information, see GitHub SSO.
  • Access to GitHub Enterprise and permissions to modify GitHub's SSH Certificate Authorities.

Step 1/3. Import the Teleport CA into GitHub

In order to export the Teleport CA, execute the following command:

Log in to your cluster with tsh so you can use tctl from your local machine.

You can also run tctl on your Auth Service host without running "tsh login"


tsh login --user=myuser
tctl auth export --type=user | sed 's/^cert-authority //g'

Next, follow the instructions in the guide below to import your Teleport CA into GitHub:

Managing your organization's SSH certificate authorities

The contents of the exported file should by pasted into the "Key" field after clicking "New CA".

Step 2/3. Configure the GitHub key extension

Create or update a role to include the cert_extensions option. The value of name must be [email protected].

kind: role
version: v5
  name: developer
       - type: ssh
         mode: extension
         name: [email protected] # required to be `[email protected]`.
         value: "{{ external.logins }}"

Step 3/3. Issue a user certificate

A user certificate may be issued with the following command, where <USERNAME> is the Teleport user to generate the SSH certificate for:

tctl auth sign --out out.cer --user=<USERNAME>

To test that authentication with this signed certificate is working correctly, SSH into with your organization's user:

ssh -i out.cer org-<ID>

If authentication is successful, a "You've successfully authenticated" message should be displayed in the terminal.

This newly generated certificate may then be used when interacting with GitHub over SSH by adding the following to the ~/.ssh/config file:



IdentityFile path/to/out.cer

When using SSH Certificate Authorities, you should retrieve your GitHub repository's SSH URL from the GitHub UI so the correct SSH user is used for authentication. For more information, see About SSH URLs with SSH certificates.