Vault SSH CA
8h certs, 9+ hosts configured
Category |
INFRASTRUCTURE |
Status |
Complete |
Premise
Eliminate SSH key sprawl with short-lived certificates
Goals
-
No permanent SSH keys on any host
-
Role-based access via Vault policies
-
Audit trail of all SSH certificate issuance
Current State
Production - All infrastructure hosts using SSH CA
Next Steps
-
Add OTP fallback for emergency access
-
Integrate with FreeIPA for user sync
Architecture Notes
|
Sign flow: User → Vault → Signed Cert → Host |