Using Teleport's Certificate Authority with GitHub
Teleport supports exporting user SSH certificates with configurable key extensions. This allows the Teleport CA to be used in conjunction with GitHub's support for SSH Certificate Authorities. This way, users can access their organizations' repositories with short-lived, signed SSH certificates.
- The Teleport Auth Service and Proxy Service v9.2.4, either self hosted or deployed on Teleport Cloud.
- The GitHub SSO authentication connector. For more information, see GitHub SSO.
- Access to GitHub Enterprise and permissions to modify GitHub's SSH Certificate Authorities.
In order to export the Teleport CA, execute the following command:
tctl auth export --type=user | sed 's/^cert-authority //g'
Next, follow the instructions in the guide below to import your Teleport CA into GitHub:
The contents of the exported
teleport.ca file should by pasted into the "Key" field after clicking "New CA".
Create or update a role to include the
cert_extensions option. The value of
name must be
A user certificate may be issued with the following command, where
<USERNAME> is the Teleport user to generate the SSH certificate for:
tctl auth sign --out out.cer --user=<USERNAME>
To test that authentication with this signed certificate is working correctly, SSH into
github.com with your organization's user:
ssh -i out.cer org-<ID>@github.com
If authentication is successful, a "You've successfully authenticated" message should be displayed in the terminal.
This newly generated certificate may then be used when interacting with GitHub over SSH by adding the following to the
When using SSH Certificate Authorities, you should retrieve your GitHub repository's SSH URL from the GitHub UI so the correct SSH user is used for authentication. For more information, see About SSH URLs with SSH certificates.