-
Setting up SSH keys
Setting up SSH keys
SSH certificates are required to connect to Roihu over SSH
To connect to Roihu, users must sign their public key in MyCSC to obtain a time-based SSH certificate. Each certificate is valid for 24 hours, and once it expires, a new one must be generated by signing the public key again.
SSH keys provide more convenient and secure authentication. SSH keys are required to be able to connect to CSC supercomputers using an SSH client. Connecting to Roihu requires also that you sign your public key in order to obtain a time-based SSH certificate.
- Generate SSH keys on your local workstation.
- SSH keys are always generated in pairs consisting of one public key and one private key. Generate these keys on the device you intend to use to connect to CSC supercomputers. Never share the private key with anyone!
- Copy the public key from your workstation to MyCSC.
- For authenticating an SSH connection using a key pair, you need to copy
the public key to MyCSC. Do not copy the private key. Note that
copying the public key directly to CSC supercomputers using tools such as
ssh-copy-idwill not work.
- For authenticating an SSH connection using a key pair, you need to copy
the public key to MyCSC. Do not copy the private key. Note that
copying the public key directly to CSC supercomputers using tools such as
- Sign the public key in MyCSC and download SSH certificate (required for Roihu only).
- To connect to Roihu, sign your public key in MyCSC to generate a time-based SSH certificate that is used for authentication. SSH certificates have a finite lifetime of 24 hours, which significantly improves the security of the system. After the SSH certificate expires, a new one must be generated by signing the public key in MyCSC again.
For more information about SSH keys, see:
Generating SSH keys
To find out how to generate SSH keys on your local workstation, see the system-specific instructions for:
- Unix-based systems (macOS and Linux)
- Windows systems
Warning
The private key should never be shared with anyone, not even with CSC staff! It should only be stored on the local workstation.
Also, never leave the passphrase empty when generating an SSH key pair! Please choose a secure passphrase. It should be at least 8 characters long and contain numbers, letters and special characters.
Copying public key to supercomputer
The only way to copy a public key to a supercomputer is through the MyCSC customer portal. Read the instructions below.
Adding public key in MyCSC
You can add your public key through the MyCSC customer portal by following these steps:
- Log in to MyCSC with your CSC or Haka/Virtu credentials.
- Select Profile from the left-hand navigation or the dropdown menu in the top-right corner.
-
Locate SSH PUBLIC KEYS section and select + Add key. As a security measure, you are asked to log in again if it has been a few minutes since you last logged into the portal.

-
Add your public key by either
- uploading the public key file in the Upload file tab, or
-
manually pasting its contents into the Key field in the Manual input tab. In this case, also add a Title for the key, e.g. "my-ssh-key".


-
Select Upload or Add.
-
You should now see your new key listed under SSH PUBLIC KEYS. Note that it might take up to one hour for your new key to become active. If it takes longer than that, please contact the CSC Service Desk.

Supported key types and formatting
Supported key types are Ed25519 and RSA 4096 through 16384. We strongly recommend Ed25519.
Your public key should consist of the SSH key type, the key sequence and an optional comment, all separated by single spaces. Make sure to add the whole SSH key on the same line and do not add other whitespace than normal space characters. If your key is improperly formatted, an error message is displayed. A key in the correct format looks like this:
Users can check their public keys on Puhti or Mahti using the commands:
# Check timestamp of file (time of previous sync)
ls -l /var/lib/acco/sshkeys/${USER}/${USER}.pub
# Check its contents (public keys)
cat /var/lib/acco/sshkeys/${USER}/${USER}.pub
If you have added multiple keys to MyCSC, they should all be visible in the
same ${USER}.pub file.
Signing public key
The following is a requirement for connecting to Roihu only
To connect to Roihu using SSH or SFTP (WinSCP, FileZilla), you must sign your public key to get a so called SSH certificate. SSH certificates significantly improve the security of the system by introducing an additional authentication factor for SSH logins.
SSH certificates are valid for 24 hours at a time. Once your certificate expires, a new one must be signed following either of the processes below.
Option 1: Download from MyCSC
We recommend trying the MyCSC workflow first, since it should work out-of-the-box on all systems.
- Log in to MyCSC with your CSC or Haka/Virtu credentials.
- Select Profile from the left-hand navigation or the dropdown menu in the top-right corner.
- Locate SSH PUBLIC KEYS section and click the three vertical dots next to the public key you want to sign.
-
Click Sign and download SSH certificate. As a security measure, you may be asked to log in again.

Where to store the SSH certificate?
We strongly advise saving the certificate in the default folder for SSH-related files (e.g.
~/.sshorC:\Users\<username>/.ssh). Specifically, storing the certificate in the same directory as your SSH private key and naming it as<key>-cert.pubwill simplify connecting, working with SSH agent, etc.For example, if you've stored your SSH private key in
~/.ssh/id_ed25519, please save your SSH certificate as~/.ssh/id_ed25519-cert.pub. -
Connect to Roihu following these instructions:
- Optional, add certificate to SSH authentication agent. Mandatory for SSH agent forwarding.
- Connect from Terminal
- Optional, add certificate to SSH authentication agent. Mandatory for SSH agent forwarding or for using FileZilla and WinSCP.
- Connect to Roihu with SSH clients or graphical file transfer tools.
Option 2: Certificate helper tool
To make the process smoother and easier, you can use the helper tool.
The certificate helper is a Python tool developed by CSC to simplify the process of signing and downloading an SSH certificate, and adding it to your SSH authentication agent. A detailed documentation of the tool is available in the source repository. The following instructions illustrate only basic usage.
- Ensure that you have Python installed on your computer.
- Instructions are available in the Official Python downloads page. Contact your local IT-support if you need assistance.
- If Python for some reason cannot be installed on your computer, fall back to Option 1 instead.
-
Download the latest release of the certificate helper tool here (Right click zip Save Link As Unpack zip), or clone the Git repository:
-
Run the
csc_cert.pytool that is in the newcertificate-helper-toolfolder:- Optional, but strongly recommended: Ensure that
ssh-agentis running to automatically add SSH key and certificate to SSH agent. -
Open terminal and execute:
# Replace <username> with your CSC user name and # <path-to-public-key> with the path to your SSH public key python3 csc_cert.py -u <username> <path-to-public-key>- The command above assumes that the path to
csc_cert.pyis in your$PATHenvironment variable, or that you are in the same directory as the script. If not, make sure to provide the full path tocsc_cert.py.
- The command above assumes that the path to
-
If you have an earlier certificate which is still valid, the tool prints the expiration time and exits.
- If signing is needed, a login URL is displayed. Follow the link and authenticate.
- Copy the 6-digit code displayed into your terminal and enter your
SSH key passphrase.
- The signed certificate is automatically downloaded and added to your SSH agent.
- The signed certificate is saved as
<key>-cert.pub(e.g.,~/.ssh/id_ed25519-cert.pub).
- You now have everything ready to connect to Roihu following these instructions.
- Depending on the tool you plan to use, select the OpenSSH or Putty Private Keys (PPK) as input for the script. With OpenSSH keys you can generate certificates for both OpenSSH client and all Windows SSH applications using Putty keys, if you are only using graphical Windows applications you can also use Putty keys as input.
- If you are using Putty keys, install WinSCP. This tool is used to generate Putty Private Keys (PPK) from the certificate from MyCSC.
- If you install WinSCP without admin rights, you must add
WinSCP.exeto your Path environment variable. Search for the Edit environment variables for your account settings menu.
- If you install WinSCP without admin rights, you must add
-
Optional, but strongly recommended start one of the SSH agents to automatically add SSH key and certificate to the SSH agent:
- Pageant for Putty keys.
- Windows
ssh-agentfor OpenSSH keys.
-
Open PowerShell and run the script. Depending on what tools you plan to use, provide the helper script the right type of key.
# Replace: # <username> with your CSC user name and # <path-to-public-or-ppk-key> with the path to your OpenSSH public key # (.pub) or PuTTY key (.ppk) python csc_cert.py -u <username> <path-to-public-or-ppk-key>- The command above assumes that the path to
csc_cert.pyis in your Path environment variable, or that you are in the same directory as the script. If not, make sure to provide the full path tocsc_cert.py.
Note
PowerShell is just needed to run the certificate helper script. You can still connect to Roihu using your favorite SSH client.
If you intend to use PowerShell to connect to Roihu, make sure to provide
csc_cert.pyyour OpenSSH public key (.pub). Providing a PuTTY.ppkkey will create a certificate file that is only compatible with PuTTY or MobaXterm. Providing a.pubfile will create both an OpenSSH-compatible-cert.pubfile, as well as a-cert.ppkfile (if WinSCP is available). - The command above assumes that the path to
-
If you have an earlier certificate which is still valid, the tool prints the expiration time and exits.
- If signing is needed, a login URL is displayed. Follow the link and authenticate.
- Copy the displayed 6-digit code into PowerShell and enter your SSH
key passphrase.
- The signed certificate is automatically downloaded and added to your SSH authentication agent if you have it running.
- The signed certificate is saved to the same folder as the input key
as
<key>-cert.pubfor OpenSSH keys and/or<key>-cert.ppkfor Putty keys.
- Connect to Roihu with SSH clients or graphical file transfer tools.
- Optional, but strongly recommended: Ensure that
Check when your SSH certificate will expire
Each SSH certificate is valid for 24 hours.
If you have an active certificate, the expiration time is printed when running the
csc_cert.py tool.
The expiration time can also be checked as follows:
- Open a terminal client.
-
Run command:
- Open PuTTYgen / MobaKeyGen.
- Load your
.ppkprivate key:- File Load private key
- Add a certificate (
.pub) to the key (unless already included in the.ppkfile):- Key Add certificate to key
- Select Certificate info to see the validity period among other info.