Skip to content

Instantly share code, notes, and snippets.


Marc Chua marcchua

View GitHub Profile
marcchua /
Created Mar 5, 2021 — forked from kawsark/
A guide for configuring Vault's SSH-CA

SSH CA use-case with Vault

In this scenario we are going to set up Vault to sign SSH keys using an internal CA. We will configure the SSH secrets engine and create a CA within Vault. We will then configure an SSH server to trust the CA key we just created. Finally we will attempt to SSH using a private key, and a public key signed by Vault SSH CA.


  • This guide assumes you have already provisioned a Vault server, SSH host using OpenSSH server, and a SSH client machine.
  • The client system must be able to reach the Vault server and the OpenSSH server.
  • We will refer to these systems respectively as:

Keybase proof

I hereby claim:

  • I am marcchua on github.
  • I am mchua ( on keybase.
  • I have a public key ASCPvgDNqn3swO6eC7PPpDnsEt-v_x9NCQyHn4CYHlFJ3Qo

To claim this, I am signing this object: