Skip to main content

SSH keys

An SSH key is an access credential to SSH network protocols. These allow you to gain access to an encrypted connection between systems. You can use this connection to manage the remote system.

SSH keys authenticate the connection to ensure secure access to the server using various authentication methods.

The Discovery sensor scans your network (default SSH enabled port 22) for SSH keys configured on your server.

Discover SSH keys

To discover the SSH keys configured on your server, you need to create and run a scan.

  1. In your CertCentral account, select Discovery > Manage Discovery.

  2. On the Manage scans page, select Add scan.

  3. On the Add a scan page, in the Set up a scan section, provide the required information to set up the scan. Then, select Next.

  4. On the Scan setting section, under Settings > Scan options, select Choose what to scan > Enable SSH key discovery.

  5. Select Save and run.

View key scan results

  1. In your CertCentral account, select Discovery > View Results.

  2. On the Results page, in Keys tab, use the Scan name filter to identify the keys associated with the scan.

  3. Select the Name to view the details of the key.

The following information about the discovered keys is available:




“Name” indicates the fingerprint of the key. “SSH key fingerprint” is generated from the public key hashing utilizing different hash algorithms such as SHA, ECDSA, etc.


Algorithm used for hashing the SSH key and the SSH key's size (or length) in bits.

Authentication methods

Methods to authenticate SSH keys configured on your server.

First discovered

Indicates the date when key was first discovered.

Rotation limit

The time frame defined by the organizations when the key should be replaced with a new key. It is calculated from the date the key was first discovered


Protocols used to set up an encrypted connection between the systems to communicate over the internet.

Secure Shell Version 1 (SSH1):

  • Provides an encrypted channel for communication.

  • Provides robust host-to-host connection and user authentication.

Note: SSH1 protocols have been obsolete for a long time as they do not support future upgrades, are vulnerable, and do not ensure security against threats. If your system still depends on the SSH1 protocol, upgrade to the SSH2 protocol. If the Discovery sensors detect a key with the SSH1 protocol, we will report it as not secure.

Secure Shell Version 2 (SSH2):

  • Advanced, more efficient, more secure, and portable than SSH1.

  • Supports Secure File Transfer Protocol (SFTP).

  • Prevents data theft from eavesdropping by encrypting all data.

  • Prevents DNS and IP spoofing by cryptographically authenticating the server's identity.

  • Prevents man-in-the-middle attacks with stronger server-host authentication.


Identifies whether the specific key has duplicates.

Security level

Signifies the security status of the keys. The key is regarded as unsecured if it:

  • Has duplicates.

  • Reached or is approaching its rotation limit.

  • Uses SSH1 protocol to set up the connection.

Delete the key

  1. In your CertCentral account, select Discovery > View Results.

  2. On the Results page, in the Keys tab, find the key you want to delete.

  3. Select Delete in the Action column corresponding to the key.


Deleting a key only removes the key from the CertCentral Discovery. The key will remain active, authorized for use, and will be available on the server. Delete the key from the server to prevent scans from detecting and reproducing the key in the discovered data.

Rotate the key

Rotating a key involves removing one encryption key and replacing it with another. It is considered best practice to rotate keys at regular intervals to prevent them from being compromised.

Key rotation limits the amount of encrypted data under a particular key. As a result, past communications remain secure if a key is breached since those communications occurred under a different key.

For security reasons, we recommend maintaining key rotation limits and rotating the keys if they have crossed or close to their rotation limits (1 year) or have duplicates.