We are thinking about rolling out SSH host certificates on linux servers. The question is how do you roll those out if you have to authenticate the host against vault in the first place?
In the cloud world there would be some kind of Workload Identity which could be used to authenticate a host against vault and this could be mapped to a role, so those hosts could sign their SSH keys themselves…but with VMs in vSphere or even bare metal servers, how are you solving the problem of the first secret?
Or should we turn this around and use a config management (Ansible, Chef, Puppet,…) to roll out the certs from a central location? Or should we use the same config management to roll out AppRole creds and use this then to authenticate and sign certs. I would not prefer this solutions because then there is this single powerful place in the network which controls authenticity for every system. I would rather prefer to build something like certbot, but using the Vault agent and every server regularly connects to Vault to sign it’s key.
Can anybody recommend something or share some experience?