Hi @sdg4754 ,
Let me start by saying that I’m not in any way affiliated with Hashicorp or an HCP Boundary user. My organization does use Boundary OSS though, for database access management.
What you have described has probably been one of the first-ever use-cases of Boundary as can be inferred from the following paragraph (quoted from the public announcement of the 0.1 OSS release):
Our vision for Boundary open source is to enable this ephemeral model of access in which users can authenticate to Boundary — using their identity of choice — then are authorized to perform actions on dynamics sets of targets. Then be granted just-in-time access to connect to those targets via credentials provided by Vault or credential management solution of choice.
Of course, back then, they were talking about SSH auth with username and password or username and private key. Today, with HCP Boundary it’s possible to leverage SSH signed certificates. Check out this somewhat similar discussion
A few comments about your post though:
Not sure what you mean by “signed by the user’s private key” (see Client SSH Authentication). When you mention, HCP CA certificate, I’m assuming you’re talking about an HCP-Vault-generated CA certificate.
As it’s probably already clear at this point, yes, if your requirements are only the ones you described above.
If you’re not going to use credential injection, how would the client automatically present the signed certificate to the server?