From 07dd12971da61180827813be6bb4ed532e94f118 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Sun, 19 Apr 2026 16:37:45 -0500 Subject: [PATCH] feat: rename to openbao --- .../{vault-ssh-ca.mdx => bao-ssh-ca.mdx} | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) rename src/content/docs/guides/{vault-ssh-ca.mdx => bao-ssh-ca.mdx} (64%) diff --git a/src/content/docs/guides/vault-ssh-ca.mdx b/src/content/docs/guides/bao-ssh-ca.mdx similarity index 64% rename from src/content/docs/guides/vault-ssh-ca.mdx rename to src/content/docs/guides/bao-ssh-ca.mdx index 01cca26..ea139e7 100644 --- a/src/content/docs/guides/vault-ssh-ca.mdx +++ b/src/content/docs/guides/bao-ssh-ca.mdx @@ -1,17 +1,17 @@ --- -title: Vault SSH Certificate Authority -description: Steps followed to enable using Vault as a CA for ssh login +title: OpenBao SSH Certificate Authority +description: Steps followed to enable using OpenBao as a CA for ssh login hero: tagline: Steps followed for the v1.12.0 upgrade process image: - file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/hashicorp-vault.webp + file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/openbao.webp --- # Setup -[Reference Vault Documentation](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing) +[Reference OpenBao Documentation](https://openbao.org/docs/secrets/ssh/signed-ssh-certificates/) -I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance. +I have set the documenation to use my own defaults and configuration. This also assumes a running and active OpenBao instance. ## Enable the SSH CA @@ -19,7 +19,7 @@ I followed the defaults mostly in the docs, reference the above link for details Start with enabling the mount. ```bash -vault secrets enable -path=ssh-client-signer ssh +bao secrets enable -path=ssh-client-signer ssh ``` Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to. @@ -29,14 +29,14 @@ ssh-keygen -t rsa -C "alexanderlebens@gmail.com" Add the above signing key. ```bash -vault write ssh-client-signer/config/ca private_key="..." public_key="..." +bao write ssh-client-signer/config/ca private_key="..." public_key="..." ``` ## Create Client Role and Key -Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI. +Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the OpenBao UI. ```bash -vault write ssh-client-signer/roles/alexlebens -<<"EOH" +bao write ssh-client-signer/roles/alexlebens -<<"EOH" { "algorithm_signer": "rsa-sha2-256", "allow_user_certificates": true, @@ -61,7 +61,7 @@ ssh-keygen -t rsa -C "alexanderlebens@gmail.com" ## Configure SSH to use the Key and Cert -SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above. +SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by OpenBao as the User and set the IdentityFile to the Key as generated above. ``` Host ps08rp Hostname 10.232.1.51 @@ -75,7 +75,7 @@ Host ps08rp Download the public cert from the endpoint. ```bash -curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key +curl -o /etc/ssh/trusted-user-ca-keys.pem https://bao.alexlebens.net/v1/ssh-client-signer/public_key ``` Then add that file to the sshd config. @@ -89,16 +89,16 @@ This step is currently manual as I have few hosts that I need ssh for. The most ## Renew Client Certificate -Sign the client cert, on your machine, with the Vault CA. +Sign the client cert, on your machine, with the OpenBao CA. ```bash -vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub +bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub ``` -I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh. +I added the following to my .zshrc to make this easier. So now I just run "bao-renew" before I need to ssh. ``` -# Vault -export VAULT_ADDR="https://vault.alexlebens.net" -alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub' +# OpenBao +export BAO_ADDR="https://bao.alexlebens.net" +alias bao-renew='bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub' ``` ### View Cert Details