<PackageReference Include="SSH.NET" Version="2024.2.0" />

Certificate

public class Certificate
Represents an OpenSSH certificate as described in https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys.
public enum CertificateType

Used to specify whether a certificate is for identification of a user or a host.

public byte[] CertificateAuthorityKey { get; }

The CA key used to sign the certificate. The valid key types for CA keys are ssh-rsa, ssh-dss, ssh-ed25519 and the ECDSA types ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained" certificates, where the signature key type is a certificate type itself are NOT supported. Note that it is possible for a RSA certificate key to be signed by a Ed25519 or ECDSA CA key and vice-versa.

public string CertificateAuthorityKeyFingerPrint { get; }

Gets the SHA256 fingerprint of the certificate authority key in the same format as the ssh command, i.e. non-padded base64, but without the SHA256: prefix.

public IDictionary<string, string> CriticalOptions { get; }

A set of zero or more options on the certificate's validity. The key identifies the option and the value encodes option-specific information. All such options are "critical" in the sense that an implementation must refuse to authorise a key that has an unrecognised option.

public IDictionary<string, string> Extensions { get; }

A set of zero or more optional extensions. These extensions are not critical, and an implementation that encounters one that it does not recognise may safely ignore it.

public Key Key { get; }

The public key that has been certified by the certificate authority.

public string KeyId { get; }

A free-form text field that is filled in by the CA at the time of signing; the intention is that the contents of this field are used to identify the identity principal in log messages.

public string Name { get; }

The type identifier of the certificate.

public byte[] Nonce { get; }

A CA-provided random bitstring of arbitrary length (but typically 16 or 32 bytes) included to make attacks that depend on inducing collisions in the signature hash infeasible.

public ulong Serial { get; }

An optional certificate serial number set by the CA to provide an abbreviated way to refer to certificates from that CA. If a CA does not wish to number its certificates, it must set this field to zero.

public byte[] Signature { get; }

The signature computed over all preceding fields from the initial string up to, and including the signature key. Signatures are computed and encoded according to the rules defined for the CA's public key algorithm (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA types, and RFC8032 for Ed25519).

public CertificateType Type { get; }

Specifies whether this certificate is for identification of a user or a host.

public DateTimeOffset ValidAfter { get; }

The beginning of the validity period of the certificate.

public ulong ValidAfterUnixSeconds { get; }

The beginning of the validity period of the certificate, as the number of seconds elapsed since 1970-01-01T00:00:00Z.

public DateTimeOffset ValidBefore { get; }

The end of the validity period of the certificate.

public ulong ValidBeforeUnixSeconds { get; }

The end of the validity period of the certificate, as the number of seconds elapsed since 1970-01-01T00:00:00Z.

public IList<string> ValidPrincipals { get; }

The names for which this certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and usernames for SSH_CERT_TYPE_USER certificates. As a special case, a zero-length "valid principals" field means the certificate is valid for any principal of the specified type.

public Certificate(byte[] data)

Initializes a new instance of the Certificate class based on the data encoded in data.