diff --git a/website/content/docs/secrets/ssh/signed-ssh-certificates.mdx b/website/content/docs/secrets/ssh/signed-ssh-certificates.mdx index 1853323f6..4df8dbcd4 100644 --- a/website/content/docs/secrets/ssh/signed-ssh-certificates.mdx +++ b/website/content/docs/secrets/ssh/signed-ssh-certificates.mdx @@ -466,6 +466,50 @@ forwarding. See [no prompt after login](#no-prompt-after-login) for examples. } ``` +### Key Comments +There are additional steps needed to preserve [comment attributes](https://www.rfc-editor.org/rfc/rfc4716#section-3.3.2) +in keys which ought to be considered if they are required. Private and public +key may have comments applied to them and for example where `ssh-keygen` is used +with its `-C` parameter - similar to: + +```shell-session +ssh-keygen -C "...Comments" -N "" -t rsa -b 4096 -f host-ca +``` + +Adapted key values containing comments must be provided with the key related +parameters as per the Vault CLI and API steps demonstrated below. + +```shell-extension +# Using CLI: +vault secrets enable -path=hosts-ca ssh +KEY_PRI=$(cat ~/.ssh/id_rsa | sed -z 's/\n/\\n/g') +KEY_PUB=$(cat ~/.ssh/id_rsa.pub | sed -z 's/\n/\\n/g') +# Create / Update keypair in Vault +vault write ssh-client-signer/config/ca \ + generate_signing_key=false \ + private_key="${KEY_PRI}" \ + public_key="${KEY_PUB}" +``` + +```shell-extension +# Using API: +curl -X POST -H "X-Vault-Token: ..." -d '{"type":"ssh"}' http://127.0.0.1:8200/v1/sys/mounts/hosts-ca +KEY_PRI=$(cat ~/.ssh/id_rsa | sed -z 's/\n/\\n/g') +KEY_PUB=$(cat ~/.ssh/id_rsa.pub | sed -z 's/\n/\\n/g') +tee payload.json < **IMPORTANT:** Do NOT add a private key password since Vault can't decrypt it. +Destroy the keypair and `payload.json` from your hosts immediately after they have been confirmed as successfully uploaded. + ### Known Issues - On SELinux-enforcing systems, you may need to adjust related types so that the SSH daemon is able to read it. For example, adjust the signed host certificate