Unsupported key format "ecdsa-sha2-nistp521"

Hello Guys,

I have setup SSH Engine for SSH based certificate but when i sign with public key end up getting following error:-

failed to generate signed SSH key: sign error: ssh: unsupported signature algorithm “rsa-sha2-512” for key format “ecdsa-sha2-nistp521”

i was following the document -

providing key_type = ecdsa-sha2-nistp521 but under role the Signing Algorithm is only three types which is rsa* values accepted and due to that its conflicting the same.

Please let me know if ecdsa-sha2-nistp521 is not supported or do we have any fix?


Using an algorithm_signer of default with non-RSA keys works fine for me (testing with Vault 1.13.1):

    vault secrets enable ssh
    vault write -format=json ssh/config/ca generate_signing_key=true key_type=ecdsa-sha2-nistp521 | jq -r .data.public_key > generated/ssh_ca.pub
    vault write ssh/roles/client - <<"END"
{
    "key_type": "ca",
    "allow_user_certificates": true,
    "allowed_users": "test",
    "algorithm_signer": "default",
    "default_extensions": {
        "permit-pty": "",
        "permit-port-forwarding": ""
    },
    "ttl": "10m"
}
END
    # Sign CA itself with the CA, just as a test signing works
    vault write -format=json ssh/sign/client public_key=@generated/ssh_ca.pub | jq -r .data.signed_key > generated/ssh_ca-cert.pub

Thanks its works well.