SSH-CA credential-library host requirements and configuration details

Now that the latest version of Boundary has been released and it included the support for vault-ssh-ca credential-libraries I wanted to ask for some clarification on how to implement this feature as it’s not clear via the tutorials or documentation.

My understanding is that once i have a Vault ssh-ca setup I need to configure my keys in vault that can then be retrieved by boundary once an ssh-ca key has been signed. That being said I’m assuming the “target” machine or “host” configured with boundary will also need the pub key in order to sign.


Some of the details will depend on how you choose to configure vault. But the high level steps are:

  1. Configure Vault
    a. Enable/mount the ssh secret engine in vault
    b. Generate or upload a CA certificate
    c. Create a role

  2. Configure Hosts
    You will need to distribute the CA public key to each host. This can be read back from vault using the /ssh/public_key or /ssh/config/ca endpoints if you need to retrieve it again. The SSH service needs to be configured to trust the key. For example, assuming this key is added on the host to /etc/ssh/,
    you would need to add the following to the host’s sshd config:

TrustedUserCAKeys /etc/ssh/
  1. Configure Boundary
    You will need to create a credential library that will issue the credentials
    using the vault role created above. For example:
$ boundary credential-libraries create vault-ssh-certifcate \
  -credential-store-id=$CREDENTIAL_STORE_ID \
  -name=ssh-example \
  -username=foo \
  -vault-path=ssh/sign/foo \
  -key-type=ed25519 \
  -extension permit-pty

See the docs for more details on the options for the vault-ssh-certificate credential library.

Then you need an SSH target that uses this library as an injected application
credential source:

$ boundary targets create ssh \
  -address=myhost \
  -name=ssh-example \
$ boundary targets add-credential-sources \
  -id=$SSH_TARGET_ID \

A more complete example/tutorial can be found here.

Let me know if you need additional details for any of the steps mentioned above.

1 Like

This helped me configure vault correctly and I think i have the boundary side configure as well except I get an error when i try to configure the target with the new credential source

Im still having trouble setting this up though and i noticed this in the command line utility
ssh Create a ssh-type target (HCP only)
Does this mean ssh ca is not supported for OSS setups? If so is there plans to make this available for on-prem installations?