Vault Signed SSH Certificate Manager

CLI command to manage SSH connections with Vault

Usage:
  vault-ssh [command]

Available Commands:
  certificate Manages certificates for SSH engine.
  enable      Enables SSH Engine.
  help        Help about any command
  role        Manages roles for SSH engine.
  sign        Signs given public key with SSH engine and role.
  version     Print the version/build number

Flags:
  -h, --help   help for vault-ssh

Use "vault-ssh [command] --help" for more information about a command.

Requirements

• Vault Server

What does it do?

It's a tool to create Signed SSH Certificates with Vault.

How to use it

1. Enable a SSH engine in your Vault.

vault-ssh enable --path my-ssh-signer

2. Generate a Certificate CA for the engine.

vault-ssh certificate create --engine my-ssh-signer

3. Read created certificate to put on your server.

vault-ssh certificate get --engine my-ssh-signer

4. Create a role for the engine.

vault-ssh role create --name omegion --engine my-ssh-signer

5. Sign your public key with a role. The generated file will be written in signed-key.pub in this example.

vault-ssh sign \
  --role omegion \
  --engine my-ssh-signer \
  --public-key ~/.ssh/id_rsa.pub > signed-key.pub

6. SSH your server with signed key.

ssh -i signed-key.pub -i ~/.ssh/id_rsa [email protected]

Improvements to be made

• 100% test coverage.
• Better covering for other features.