# SSH Host Key Certificates

The SSH host keys of Puppet managed Linux hosts have a certficate which avoids below key acceptance question:

```
$ ssh hipa-gw
The authenticity of host 'hipa-gw (129.129.197.23)' can't be established.
ECDSA key fingerprint is SHA256:aRuVOefLvadIyDTxlSglDNylKG6eww2ZW0ddZs97dUo.
ECDSA key fingerprint is MD5:a8:be:15:24:9c:2b:82:7f:9d:9f:88:3f:e4:8c:df:cd.
Are you sure you want to continue connecting (yes/no)?
```

To accept SSH host keys with a certificate, please update either `~/.ssh/known_hosts` (your user only) or `/etc/ssh/ssh_known_hosts` (system-wide) as follows:

```
# SSH host key certficate CA manged by PSI Puppet
@cert-authority * ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2xLCCHNmXSeY+qNPmdo/jO2AXrcHyQDqZLBzWVwk2/GqMRDl4mavZLBPyQPNeLGAPc+BHg7iRC65wQQEeYOVU=
@cert-authority * ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhIx/obIiiO9AtrUgj7pF8kAgv4g9Dp+DRXilkmlkxK
```