Ssh-sign role migration

I need to migrate the ssh-sign role from one server to another. How can I do it? How can I copy the CA certificate, and private key?

To confirm, you are saying you need to migrate an SSH CA from one installation of Vault to a completely separate Vault installation, without backing up and restoring the entirety of the Vault data as a single unit?

If you originally generated the private key for the CA outside of Vault, and still have a copy outside of Vault, you could import it into a different Vault.

If you don’t have a copy, or the key was originally generated inside Vault in the first place, then Vault provides no supported method to extract the key.

The only way to do it would be to directly read it out of internal Vault storage via the highly privileged and usually disabled sys/raw API.

Thanks for the answer. :+1:

@fb1 I just did the same thing, in order to get the private key, you can enable sys/raw endpoint by setting raw_storage_endpoint = true in the config file. Then you can use root token to read the private key located to the sys/raw/logical endpoint .

vault read -field=value sys/raw/logical/<UUID>/config/ca_private_key

Thanks. I got the private key. :clap: