Can we use x509 certs for SSH access to servers

I want to use x509 certificates for SSH access. Which secret engine will be right for my usecase - pki / ssh / or any hybrid way?

Is there any documentation on the same please?

I have not tried it, but I don’t think there is an implementation of x509 SSH signing in Vault.

Standard OpenSSH has a built in capability to use certificates. However they are not X.509 certificates.

The Vault SSH secrets engine is built to operate with standard OpenSSH’s certificates.

Doing a little Googling shows that there is an unofficial fork of OpenSSH that uses X.509 certificates, but it’s unclear to me what benefit this is supposed to bring, to justify needing to run a forked version of the client and server.

Therefore, I suggest you don’t use X.509 certificates for SSH, but use the built-in non-X.509 certificate support in OpenSSH and Vault.

We are building some services, where we are planning to use SPIFFE and SPIRE for authentication. If so , SPIRE already gives a certificate which is a x509 based cert. So planning to use the same for SSH access, instead of generating one more certificate using SSH secret engine (in Vault).

If vault can support using x509 certs for ssh , then we planned to use same cert generated by SPIFFE/SPIRE … that way …it will be one certificate less to manage.

To me, your message seems to contradict itself:

EITHER you want to present your SPIFFE certificate directly to a SSH server to log in - in which case Vault isn’t involved at all.

OR you want to present your SPIFFE certificate to Vault, and get another certificate to use for SSH - in which case you might as well just use the Vault SSH secrets engine to do so, and you don’t meet your stated goal of using only one certificate.

Please explain your goals in more detail?

SPIFFE/SPIRE acts as a CA and generates a certificate.
But they also support third party CA’s where we can configure Vault as a CA (as upstream) and in this case , its SPIRE who does cert management , but uses vault as CA in generating , also in this case SPIRE acts as intermediate CA.

So in this case , though its SPIRE who is doing cert management , but its vault who is generating cert at the end. Having said this , which secret engine makes more sense here - PKI/SSH/or any hybrid approach ?

I’m confused - you now seem to be asking a different question to when this conversation started. You will need to more clearly explain what you’re asking, if people on the internet with no existing knowledge of your environment are going to be avle to help!