Use the PKI secrets engine to create a certificate for the SSH secrets engine

I have created a PKI secrets engine which has a valid intermediate CA. I also have two SSH secret engines, one for clients and one for hosts. Now I want to create two certificates with the PKI engine for the SSH engines. Unfortunately I’m having trouble determining what the PKI roles should look like. I currently have this:

{
    "allow_localhost": false,
    "client_flag": false,
    "key_usage": [
        "DigitalSignature",
        "KeyAgreement"
    ],
    "max_ttl": "43800h",
    "server_flag": true,
    "ttl": "8760h"
}

Is there any documentation anywhere that explains how to create a certificate for the SSH engine and which settings must be applied to the certificate?

Internet X.509 and SSH use different certificate formats. You need to use the functions in the SSH engine to generate certificates for it.

Ah right. That’s my bad. I’m assuming that means that the public key for the SSH certificate doesn’t need to be trusted by either the client machine or the host machine, i.e. it doesn’t need to be imported in the machine-wide CA store. It’s just the SSH daemon / client that needs to know about it?

That’s my understanding!

1 Like

@jeff Thanks for that. I shall push forward with Vault-ifying all my secrets :slight_smile:

you may try to convert a key produced by a role & PKI engine into SSH understandable key, e.g. ssh-keygen -f id_rsa.pub -i -m PKCS8