The documentation for SSH CA authentication says that separate mount paths should be used for host key signing and client key signing. It seems to me that you could just use one CA with different signing roles to achieve the same security so I’m wondering what the purpose of using two is. I dug through the history of the docs, and it looks like that recommendation was first added here, but I can’t find anything about why it was added.
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Does Vault support two CA intermediates to sign two different environment certs? | 1 | 334 | June 7, 2020 | |
| Using Vault ssh ca with a jump host | 1 | 753 | September 24, 2020 | |
| OTP and using a CA for host key verification? | 0 | 224 | May 14, 2021 | |
| Strategies for rolling out SSH CA host certs | 5 | 808 | November 29, 2021 | |
| SSH auth via Vault with AD creds | 4 | 226 | May 26, 2023 |