The documentation for SSH CA authentication says that separate mount paths should be used for host key signing and client key signing. It seems to me that you could just use one CA with different signing roles to achieve the same security so I’m wondering what the purpose of using two is. I dug through the history of the docs, and it looks like that recommendation was first added here, but I can’t find anything about why it was added.
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Vault SSH CA setup | 0 | 314 | November 20, 2020 | |
| How to Configuring Vault's SSH-CA? | 38 | 3488 | February 24, 2021 | |
| Strategies for rolling out SSH CA host certs | 5 | 1109 | November 29, 2021 | |
| OTP and using a CA for host key verification? | 0 | 230 | May 14, 2021 | |
| Using Vault ssh ca with a jump host | 1 | 835 | September 24, 2020 |