alexlebens/site-documentation
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Releases 25 Activity

feat: rename to openbao

Browse Source
This commit is contained in:
Alex Lebens
2026-04-19 16:37:45 -05:00
parent c17b24f6c5
commit 07dd12971d
1 changed files with 17 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/content/docs/guides/vault-ssh-ca.mdx → src/content/docs/guides/bao-ssh-ca.mdx
View File

@@ -1,17 +1,17 @@
---
title: Vault SSH Certificate Authority
description: Steps followed to enable using Vault as a CA for ssh login
title: OpenBao SSH Certificate Authority
description: Steps followed to enable using OpenBao as a CA for ssh login
hero:
tagline: Steps followed for the v1.12.0 upgrade process
image:
file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/hashicorp-vault.webp
file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/openbao.webp
---
# Setup
[Reference Vault Documentation](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing)
[Reference OpenBao Documentation](https://openbao.org/docs/secrets/ssh/signed-ssh-certificates/)
I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance.
I have set the documenation to use my own defaults and configuration. This also assumes a running and active OpenBao instance.
## Enable the SSH CA
@@ -19,7 +19,7 @@ I followed the defaults mostly in the docs, reference the above link for details
Start with enabling the mount.
```bash
vault secrets enable -path=ssh-client-signer ssh
bao secrets enable -path=ssh-client-signer ssh
```
Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to.
@@ -29,14 +29,14 @@ ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
Add the above signing key.
```bash
vault write ssh-client-signer/config/ca private_key="..." public_key="..."
bao write ssh-client-signer/config/ca private_key="..." public_key="..."
```
## Create Client Role and Key
Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI.
Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the OpenBao UI.
```bash
vault write ssh-client-signer/roles/alexlebens -<<"EOH"
bao write ssh-client-signer/roles/alexlebens -<<"EOH"
{
"algorithm_signer": "rsa-sha2-256",
"allow_user_certificates": true,
@@ -61,7 +61,7 @@ ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
## Configure SSH to use the Key and Cert
SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above.
SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by OpenBao as the User and set the IdentityFile to the Key as generated above.
```
Host ps08rp
Hostname 10.232.1.51
@@ -75,7 +75,7 @@ Host ps08rp
Download the public cert from the endpoint.
```bash
curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key
curl -o /etc/ssh/trusted-user-ca-keys.pem https://bao.alexlebens.net/v1/ssh-client-signer/public_key
```
Then add that file to the sshd config.
@@ -89,16 +89,16 @@ This step is currently manual as I have few hosts that I need ssh for. The most
## Renew Client Certificate
Sign the client cert, on your machine, with the Vault CA.
Sign the client cert, on your machine, with the OpenBao CA.
```bash
vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub
bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub
```
I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh.
I added the following to my .zshrc to make this easier. So now I just run "bao-renew" before I need to ssh.
```
# Vault
export VAULT_ADDR="https://vault.alexlebens.net"
alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub'
# OpenBao
export BAO_ADDR="https://bao.alexlebens.net"
alias bao-renew='bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub'
```
### View Cert Details