I was under the impression that SSH keys did not have an expiry, so I am a bit puzzled as to why a client came to me yesterday to advise that 2 of our keys had:
Message from client:
I can see that the key on each account is due for a refresh today.
xxxx1282xxxx Key Expiry Date: 11 April 2019 17:10
xxxx2214xxxx Key Expiry Date: 11 April 2019 17:02Any idea how they got to this, as this may now involve a piece of work where I have to grab expiry dates for over 100 keys....
1 Answer
Traditional SSH keys have no expiry; in fact they have no metadata whatsoever (except maybe a comment field). Some companies have central authorized key management and implement their own policies regarding key expiry – the dates in that case are stored in some company-specific or system-specific format, not within the key itself.
It's likely that your client has simply decided that all keypairs must be rotated every X years or so (similar to what's done for TLS certificates).
Various "certificate" formats (X.509, PGP, OpenSSH certs) may have expiry dates. For example, if your public key starts with "" instead of the usual "ssh-rsa", then it is a certificate with metadata – expiry date possibly included. (Use ssh-keygen -L to view the certificate's contents.) Other certificate formats are even more unlikely to be used with SSH.
