In some environments, the SSH host keys for a lot of servers will all be signed in turn by a central ‘certification authority’ (‘CA’ for short). This simplifies host key configuration for users, because if they configure their SSH client to accept host keys certified by that CA, then they don't need to individually confirm each host key the first time they connect to that server.
In order to do this, press the ‘Configure host CAs’ button in the ‘Host keys’ configuration panel. This will launch a secondary configuration dialog box where you can configure what CAs PuTTY will accept signatures from.
Note that this configuration is common to all saved sessions. Everything in the main PuTTY configuration is specific to one saved session, and you can prepare a separate session with all the configuration different. But there's only one copy of the host CA configuration, and it applies to all sessions PuTTY runs, whether saved or not.
(Otherwise, it would be useless – configuring a CA by hand for each new host wouldn't be any more convenient than pressing the ‘confirm’ button for each new host's host key.)
To set up a new CA using this config box:
First, load the CA's public key from a file, or paste it directly into the ‘Public key of certification authority’ edit box. If your organisation signs its host keys in this way, they will publish the public key of their CA so that SSH users can include it in their configuration.
Next, in the ‘Valid hosts this key is trusted to certify’ box, configure at least one hostname wildcard to say what servers PuTTY should trust this CA to speak for. For example, suppose you work for Example Corporation (example.com), and the Example Corporation IT department has advertised a CA that signs all the Example internal machines' host keys. Then probably you want to trust that CA to sign host keys for machines in the domain example.com, but not for anything else. So you might enter ‘*.example.com’ into the ‘Valid hosts’ box.
It's important to limit what the CA key is allowed to sign. Don't just enter ‘*’ in that box! If you do that, you're saying that Example Corporation IT department is authorised to sign a host key for anything at all you might decide to connect to – even if you're connecting out of the company network to a machine somewhere else, such as your own personal server. So that configuration would enable the Example IT department to act as a ‘man-in-the-middle’ between your PuTTY process and your server, and listen in to your communications – exactly the thing SSH is supposed to avoid.
So, if the CA was provided to you by the sysadmins responsible for example.com (or whatever), make sure PuTTY will only trust it for machines in the example.com domain.
For the full syntax of the ‘Valid hosts’ expression, see section 4.19.4.1.
Finally, choose an identifying name for this CA; enter that name in the ‘Name for this CA’ edit box at the top of the window, and press ‘Save’ to record the CA in your configuration. The name you chose will appear in the list of saved CAs to the left of the ‘Save’ button.
The identifying name can be anything you like. It's there so that if you store multiple certificates you can tell which is which later when you want to edit or delete them. It also appears in the PuTTY Event Log when a server presents a certificate signed by that CA.
To reload an existing CA configuration, select it in the list box and press ‘Load’. Then you can make changes, and save it again.
To remove a CA from your configuration completely, select it in the list and press ‘Delete’.