I have setup SSH Engine for SSH based certificate but when i sign with public key end up getting following error:-
failed to generate signed SSH key: sign error: ssh: unsupported signature algorithm “rsa-sha2-512” for key format “ecdsa-sha2-nistp521”
i was following the document -
providing key_type = ecdsa-sha2-nistp521 but under role the Signing Algorithm is only three types which is rsa* values accepted and due to that its conflicting the same.
Please let me know if ecdsa-sha2-nistp521 is not supported or do we have any fix?
Using an algorithm_signer of
default with non-RSA keys works fine for me (testing with Vault 1.13.1):
vault secrets enable ssh
vault write -format=json ssh/config/ca generate_signing_key=true key_type=ecdsa-sha2-nistp521 | jq -r .data.public_key > generated/ssh_ca.pub
vault write ssh/roles/client - <<"END"
# Sign CA itself with the CA, just as a test signing works
vault write -format=json ssh/sign/client public_key=@generated/ssh_ca.pub | jq -r .data.signed_key > generated/ssh_ca-cert.pub