Skip to main content

Overview

The Keychain is Netcatty’s centralized storage for SSH keys, certificates, and authentication identities. It provides a secure vault for managing credentials across all your hosts.

Accessing the Keychain

  1. Click Keychain in the sidebar
  2. Or press Cmd+Shift+K (Mac) / Ctrl+Shift+K (Windows/Linux)

SSH Keys

SSH keys are the foundation of secure authentication in Netcatty.

Key Structure

SSHKey
object

Generating SSH Keys

Create new SSH key pairs directly in Netcatty.

UI Workflow

  1. Navigate to Keychain
  2. Click Generate button
  3. Configure key settings:
    • Label: Descriptive name (e.g., “Production Deploy Key”)
    • Key Type: Select algorithm (ED25519 recommended)
    • Key Size: Select bit length (RSA/ECDSA only)
    • Passphrase: Optional but recommended
  4. Click Generate
  5. Netcatty creates the key pair using system crypto libraries

Generated Key Example

{
  "id": "key-abc123",
  "label": "Production Deploy",
  "type": "ED25519",
  "privateKey": "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAA...\n-----END OPENSSH PRIVATE KEY-----",
  "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... Generated By netcatty",
  "passphrase": "your-passphrase",
  "savePassphrase": true,
  "source": "generated",
  "category": "key",
  "created": 1710432000000
}
Netcatty uses your system’s native SSH key generation libraries (via Electron backend) for maximum security.

Importing SSH Keys

Import existing keys from files or clipboard.

Import Methods

  1. Click Import in Keychain
  2. Enter a Label
  3. Paste Private Key content
  4. (Optional) Paste Public Key
  5. (Optional) Paste Certificate
  6. Enter Passphrase if encrypted
  7. Click Save

Supported Formats

  • OpenSSH Format (modern, recommended) 
    -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAA...
-----END OPENSSH PRIVATE KEY-----
  • PEM Format (legacy) 
    -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
-----END RSA PRIVATE KEY-----
  • PKCS8 Format 
    -----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0...
-----END PRIVATE KEY-----
Never import private keys from untrusted sources. Always verify the source and regenerate if in doubt.

Managing Keys

Viewing Keys

Grid View (default):
  • Visual cards showing key labels
  • Type indicators (Key/Certificate)
  • Quick actions on hover
List View:
  • Compact rows
  • More keys visible at once
  • Sortable columns

Key Actions

View Details

Click a key to view:
  • Full public key
  • Key fingerprint
  • Creation date
  • Associated hosts

Edit

Modify:
  • Label
  • Private key content
  • Public key
  • Certificate

Export to Host

Automatically add public key to a remote server’s ~/.ssh/authorized_keys

Copy Public Key

Copy public key to clipboard for manual distribution

Delete

Remove key from keychain (hosts using this key will prompt for re-selection)

Exporting Public Keys to Hosts

Netcatty can automatically deploy your public key to remote servers. Workflow:
  1. Click on a key in Keychain
  2. Click Export to Host
  3. Select target host
  4. Configure export settings:
    • Location: Directory (default: .ssh)
    • Filename: Target file (default: authorized_keys)
    • Script: Custom deployment script
  5. Click Export and Attach
What Happens:
  • Netcatty connects to the host (using existing credentials)
  • Runs export script via SSH
  • Default script: 
    DIR="$HOME/.ssh"
FILE="$DIR/authorized_keys"
if [ ! -d "$DIR" ]; then
  mkdir -p "$DIR"
  chmod 700 "$DIR"
fi
if [ ! -f "$FILE" ]; then
  touch "$FILE"
  chmod 600 "$FILE"
fi
echo $PUBLIC_KEY >> "$FILE"
  • Automatically updates host to use this key for future connections
The export script is customizable for non-standard setups (e.g., centralized authentication systems).

SSH Certificates

SSH certificates provide enhanced security and centralized management.

Importing Certificates

  1. Click Import in Keychain
  2. Enter Label
  3. Paste Private Key
  4. Paste Certificate in the Certificate field
  5. Click Save
The key is automatically categorized as a certificate.

Certificate Structure

A certificate key includes:
  • Private key (same as regular SSH key)
  • Certificate signed by a CA
  • Certificate contains:
    • Validity period
    • Principals (allowed usernames)
    • Extensions (permissions)

Using Certificates

{
  "hostname": "server.example.com",
  "username": "deploy",
  "authMethod": "certificate",
  "identityFileId": "cert-key-id"
}
The remote server must trust the CA that signed your certificate. This is configured in /etc/ssh/sshd_config with TrustedUserCAKeys.

Identities

Identities combine username and authentication method for reuse across hosts.

Identity Structure

Identity
object

Creating Identities

  1. Navigate to Keychain
  2. Click the dropdown on Key filter
  3. Select New Identity
  4. Configure:
    • Label: “Deploy User”
    • Username: deploy
    • Auth Method: Key
    • SSH Key: Select from dropdown
  5. Click Save

Using Identities

Attach an identity to multiple hosts: 
{
  "hostname": "web-01.example.com",
  "identityId": "deploy-identity"
}
Benefits:
  • Update credentials in one place
  • Enforce consistent authentication across server groups
  • Simplify host configuration

Searching and Filtering

Filter keys by:
  • Label
  • Key type
  • Public key content

Filter Tabs

  • Key: Generated and imported keys
  • Certificate: Keys with certificates attached
Click the dropdown arrow on filter tabs for quick actions:
  • Generate new key
  • Import key
  • Create identity

Keyboard Shortcuts

ActionMacWindows/Linux
Open KeychainCmd+Shift+KCtrl+Shift+K
Generate Key(in dropdown)(in dropdown)
Import Key(in dropdown)(in dropdown)
SearchStart typingStart typing

Security Best Practices

  • Always use ED25519 for new keys unless compatibility requires RSA
  • Use 4096-bit RSA keys minimum
  • Never reuse keys across environments (dev/staging/prod)
  • Always set passphrases on private keys
  • Use strong, unique passphrases (20+ characters)
  • Enable “Save Passphrase” only on secure, personal devices
  • Keep private keys out of cloud storage
  • Don’t commit keys to version control
  • Use different keys for different purposes
  • Rotate keys every 90-180 days
  • Immediately rotate if compromised
  • Remove old keys from authorized_keys

Troubleshooting

Solution: Convert to OpenSSH format:
ssh-keygen -p -m PEM -f ~/.ssh/old_key
ssh-keygen -p -m RFC4716 -f ~/.ssh/old_key
Possible Causes:
  • No existing authentication method configured
  • Server doesn’t allow password auth or current key
Solution:
  1. Configure password or another key for initial access
  2. Retry export
  3. Check SSH logs on server: /var/log/auth.log
Solution:
  • Ensure your OS keychain/credential manager is accessible
  • Mac: Check Keychain Access app
  • Windows: Check Credential Manager
  • Linux: Ensure libsecret is installed

Authentication

Configure authentication methods for hosts

Host Configuration

Advanced host settings and customization