I am writing a client program that allows the user to log in to a server. The program expects that the user has already set up an ssh agent and added their RSA keypair to it. It grabs the public key and sends it to a remote signer, which returns an SSH certificate for the public key. This certificate declares that the owner of the public key is permitted to log in to the server.

I want to make the client program add the certificate to the agent and associate it with the key, so that it can ssh to the remote server using the key with the certificate. How can I do this?

Do you want to implement temporary SSH access by issuing temporary OpenSSH certificates? If yes, why don't you just generate a new key pair each time the user is authenticated to your SSH-CA?

Anyway: OpenSSH has hard-coded filename conventions. You have to place the OpenSSH certificate besides your private key file and invoke ssh-add.

Your key pair:

$HOME/.ssh/id_rsa
$HOME/.ssh/id_rsa.pub

Your OpenSSH cert has to be located herein:

$HOME/.ssh/id_rsa-cert.pub

I've been looking for a solution to this issue too.

Uber's ussh seems to provide this capability, although with the caveat that a new keypair is generated. The Uber certificate authority announcement has this tantalising quote:

An employee gets a ussh certificate when they run the ussh command. This connects to the USSHCA, performs the pam conversation and forwards the client’s ssh agent to the CA. If the client successfully authenticates, the CA generates a new ssh key, populates the associated cert with the configured information (validity period, the user it’s valid for, the options permitted, etc.) and adds both the key and the certificate to the remote agent. The certificates are added to the agent with a timeout telling the agent to remove the keys when the certificate expires.

The ussh PAM module is on github.