alexlebens/site-documentation
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Releases 25 Activity

feat: rename to openbao

Browse Source
This commit is contained in:
Alex Lebens
2026-04-19 16:37:45 -05:00
parent c17b24f6c5
commit 07dd12971d
1 changed files with 17 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/content/docs/guides/vault-ssh-ca.mdx → src/content/docs/guides/bao-ssh-ca.mdx
View File

@@ -1,17 +1,17 @@
--- ---
title: Vault SSH Certificate Authority title: OpenBao SSH Certificate Authority
description: Steps followed to enable using Vault as a CA for ssh login description: Steps followed to enable using OpenBao as a CA for ssh login
hero: hero:
tagline: Steps followed for the v1.12.0 upgrade process tagline: Steps followed for the v1.12.0 upgrade process
image: image:
file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/hashicorp-vault.webp file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/openbao.webp
--- ---
# Setup # Setup
[Reference Vault Documentation](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing) [Reference OpenBao Documentation](https://openbao.org/docs/secrets/ssh/signed-ssh-certificates/)
I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance. I have set the documenation to use my own defaults and configuration. This also assumes a running and active OpenBao instance.
## Enable the SSH CA ## Enable the SSH CA
@@ -19,7 +19,7 @@ I followed the defaults mostly in the docs, reference the above link for details
Start with enabling the mount. Start with enabling the mount.
```bash ```bash
vault secrets enable -path=ssh-client-signer ssh bao secrets enable -path=ssh-client-signer ssh
``` ```
Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to. Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to.
@@ -29,14 +29,14 @@ ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
Add the above signing key. Add the above signing key.
```bash ```bash
vault write ssh-client-signer/config/ca private_key="..." public_key="..." bao write ssh-client-signer/config/ca private_key="..." public_key="..."
``` ```
## Create Client Role and Key ## Create Client Role and Key
Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI. Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the OpenBao UI.
```bash ```bash
vault write ssh-client-signer/roles/alexlebens -<<"EOH" bao write ssh-client-signer/roles/alexlebens -<<"EOH"
{ {
"algorithm_signer": "rsa-sha2-256", "algorithm_signer": "rsa-sha2-256",
"allow_user_certificates": true, "allow_user_certificates": true,
@@ -61,7 +61,7 @@ ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
## Configure SSH to use the Key and Cert ## Configure SSH to use the Key and Cert
SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above. SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by OpenBao as the User and set the IdentityFile to the Key as generated above.
``` ```
Host ps08rp Host ps08rp
Hostname 10.232.1.51 Hostname 10.232.1.51
@@ -75,7 +75,7 @@ Host ps08rp
Download the public cert from the endpoint. Download the public cert from the endpoint.
```bash ```bash
curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key curl -o /etc/ssh/trusted-user-ca-keys.pem https://bao.alexlebens.net/v1/ssh-client-signer/public_key
``` ```
Then add that file to the sshd config. Then add that file to the sshd config.
@@ -89,16 +89,16 @@ This step is currently manual as I have few hosts that I need ssh for. The most
## Renew Client Certificate ## Renew Client Certificate
Sign the client cert, on your machine, with the Vault CA. Sign the client cert, on your machine, with the OpenBao CA.
```bash ```bash
vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub
``` ```
I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh. I added the following to my .zshrc to make this easier. So now I just run "bao-renew" before I need to ssh.
``` ```
# Vault # OpenBao
export VAULT_ADDR="https://vault.alexlebens.net" export BAO_ADDR="https://bao.alexlebens.net"
alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub' alias bao-renew='bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub'
``` ```
### View Cert Details ### View Cert Details