Use a hello certificate for ssh and setup your github repo
- Generate the ssh key from a Windows Hello certificate
- Setup the SSH-Agent service
- Add the ssh key to GitHub
- Configure the local git repo
- References
Recently, I need to setup SSH keys on my Github account and ran into an issue setting this up. I thought I would document my setup procedure. For the most part, the process is pretty straight forward, but it’s a little different than the Linux environment. All my steps are using an elevated PowerShell command window.
The first section will show how to geneate your ssh key using a Windows Hello certificate. After the key is generated, it will be add to the ssh-agent service. To complete the setup, I’ll show where to add the new key to the my GitHub account.
Generate the ssh key from a Windows Hello certificate
- SSH keys are stored in the
$ENV:USERPROFILE\.sshdirectory.
1
2
3
4
5
$thumbprint = (Get-ChildItem Microsoft.PowerShell.Security\Certificate::CurrentUser -Recurse | Where-Object {$_.Issuer -match 'Windows Hello'} | Select-Object -First 1).Thumbprint
# find the thumbprint
$path = 'c:\temp\base64cert.cer'
Set-Content -Path $path -Value ([convert]::tobase64string((Get-Item cert:\currentuser\my\$thumbprint).RawData)) -Encoding Ascii
convert to pem and that pem will useable for a ssh-keygen
1
2
3
4
5
6
# Convert the cer to a pem format and use the pem to generate the ssh key.
certutil -encode 'c:\temp\base64cert.cer' 'c:\temp\hello.pem'
ssh-keygen.exe -f 'c:\temp\hello.pem' -f $Env:USERPROFILE\.ssh\id_testkey
# Clean up the certificates that were generated.
Remove-Item ('c:\temp\base64cert.cer', 'c:\temp\hello.pem')
Setup the SSH-Agent service
By default the ssh-agent service is disabled. Set the service to automatic, this will allow it to start when the computer is rebooted. The PowerShell console will need to have elevated privileges.
1
Get-Service ssh-agent | Set-Service -StartupType Automatic
Start the service ssh-agent service.
1
Start-Service ssh-agent
To check if the ssh-agent service is setup correct, run the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Get-Service ssh-agent | select *
UserName : LocalSystem
Description : Agent to hold private keys used for public key authentication.
DelayedAutoStart : False
BinaryPathName : C:\WINDOWS\System32\OpenSSH\ssh-agent.exe
StartupType : Automatic
Name : ssh-agent
RequiredServices : {}
CanPauseAndContinue : False
CanShutdown : False
CanStop : True
DisplayName : OpenSSH Authentication Agent
DependentServices : {}
MachineName : .
ServiceName : ssh-agent
ServicesDependedOn : {}
StartType : Automatic
ServiceHandle :
Status : Running
ServiceType : Win32OwnProcess
Site :
Container :
If you SSH-Agent does not have a Status of Running, this needs to be started. Open the PowerShell window with elevated privileges.
1
Get-Service -Name ssh-agent | Set-Service -StartupType Automatic -Status Running
Now load your key files into ssh-agent
1
ssh-add $env:USERPROFILE\.ssh\id_testkey
Set the ssh profile for GitHub in the SSH Config file. This will tell SSH how to proceed for future ssh connections.
Get-Content $env:UserProfile\.ssh\config
Host github.com-repo-0
Hostname github.com
IdentityFile=C:/Users/myusername/.ssh/id_testkey
Host github.com-repo-1
Hostname github.com
IdentityFile=C:/Users/myusername/.ssh/id_testkey
Add the ssh key to GitHub
Then add your ssh key to github. This can be done in one of two places.
The user profile for the entire account 1.1 Under your user profile image in the right corner. Select Settings.
1.2. Next select ssh and GPG keys
1.3. Select the New ssh key button
1.4. Copy the public key contents to your clipboard.
1
Get-Content $env:userprofile\.ssh\id_testkey.pub | clip.exe
1.5. paste in the key
In your windows powershell console, test the ssh key.
1 2
ssh -T git@github.com Hi ebmarquez! You've successfully authenticated, but GitHub does not provide shell access.In your GitHub repo set the git configuration to utilize the new ssh key.
Configure the local git repo
If you have already cloned the repo the following git config command will set the correct ssh key that should be utilized by git.
1
git config core.sshCommand "ssh -i C:\Users\myusername\.ssh\id_testkey -F /dev/null"