Vault Signed SSH Certificate Manager

# Quick Start

Vault is popular secret manager from Hashicorp.

# Create SSH engine and role.

  1. Enable a SSH engine in your Vault.
vault-ssh enable --path my-ssh-signer
  1. Generate a Certificate CA for the engine.
vault-ssh certificate create --engine my-ssh-signer
  1. Read created certificate to put on your server.
vault-ssh certificate read --engine my-ssh-signer
  1. Create a role for the engine.
vault-ssh role create --name omegion --engine my-ssh-signer
  1. Sign your public key with a role. The generated file will be written in signed-key.pub in this example.
vault-ssh sign \
  --role omegion \
  --engine my-ssh-signer \
  --public-key ~/.ssh/id_rsa.pub > signed-key.pub
  1. SSH your server with signed key.
ssh -i signed-key.pub -i ~/.ssh/id_rsa [email protected]