How to specify valid_principals when signing SSH CA host key?

From documentation:
valid_principals (string: "") – Specifies valid principals, either usernames or hostnames, that the certificate should be signed for.

What Am I missing?

curl -k --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"public_key":"ssh-ed25519 AA***", "cert_type":"host", "valid_principals":""}' $VAULT_ADDR/v1/ssh-host-ca/sign/hostrole | jq

  "errors": [
    " is not a valid value for valid_principals"
1 Like

The principal string isn’t a DNS name but just a standard string. You then list the allowed principals on the SSH server config side which has to match (so the cert contains a single string and the server contains a list of allowable strings).

This does not help at all…
I am trying to get SSH host certificate, the principal in this case is fqdn hostname. And is not accepted by API…

The solution was to enable in signing role: Allow subdomains Yes

Documentation does not mention that valid_principals field is validated against something. I found it while reading bug reports:

1 Like