My signing role and signing request has “ttl”:“0” and yet certificate is valid only for 10 hours…
curl -k --header "X-Vault-Token: $VAULT_TOKEN" --request GET $VAULT_ADDR/v1/ssh-host-ca/roles/hostrole | jq
{
"request_id": "1efda46b-b45b-93f4-2c3c-bbcfc8502667",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"algorithm_signer": "",
"allow_bare_domains": true,
"allow_host_certificates": true,
"allow_subdomains": false,
"allow_user_certificates": false,
"allow_user_key_ids": false,
"allowed_critical_options": "",
"allowed_domains": "example.com",
"allowed_extensions": "",
"allowed_user_key_lengths": {},
"allowed_users": "",
"allowed_users_template": false,
"default_critical_options": {},
"default_extensions": {},
"default_user": "",
"key_bits": 0,
"key_id_format": "",
"key_type": "ca",
"max_ttl": 0,
"ttl": 0
},
"wrap_info": null,
"warnings": null,
"auth": null
}
curl -k --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"public_key":"ssh-ed25519 AA*** host.example.com", "cert_type":"host", "ttl":"0"}' $VAULT_ADDR/v1/ssh-host-ca/sign/hostrole | jq
{
"request_id": "411a9608-8bea-2e9d-ff0f-67d0c316897d",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"serial_number": "9ec669444feb6f7c",
"signed_key": "ssh-ed25519-cert-v01@openssh.com AA ... ==\n"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
ssh-keygen -L -f ssh_host_key-cert.pub
ssh_host_key-cert.pub:
Type: ssh-ed25519-cert-v01@openssh.com host certificate
Public key: ED25519-CERT SHA256:***
Signing CA: ED25519 SHA256:*** (using ssh-ed25519)
Key ID: "vault-root-cd1d21f346701777864216d9e18bb5060d6af91d55a93533d8cd57d53eaa28c4"
Serial: 11440947645500845948
Valid: from 2021-10-16T10:35:10 to 2021-10-16T20:35:40
Principals: (none)
Critical Options: (none)
Extensions: (none)