Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
# This script will get an SSH host certificate from our CA and add a weekly
# cron job to rotate the host certificate.
# See for full instructions
CA_URL="[Your CA's URL]"
ALLOWED_DOMAIN="[the domain name of accounts your users will use to sign to Google]"
CA_NAME="[A name for your CA]"
# Obtain your CA fingerprint by running this on your CA:
# # step certificate fingerprint $(step path)/certs/root_ca.crt
CA_FINGERPRINT="[Your CA"s Fingerprint]"
# curl -LO${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
# dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb
# Configure `step` to connect to & trust our `step-ca`.
# Pull down the CA's root certificate so we can talk to it later with TLS
step ca bootstrap --ca-url $CA_URL \
--fingerprint $CA_FINGERPRINT
# Install the CA cert for validating user certificates (from /etc/step-ca/certs/` on the CA).
step ssh config --roots > $(step path)/certs/
# Ask the CA to exchange our host key for an SSH host certificate
TOKEN=$(step ca token vps432732 -host -ssh -password-file=key)
step ssh certificate $HOSTNAME /etc/ssh/ \
--host --sign --provisioner "${CA_NAME}@${ALLOWED_DOMAIN}" \
--principal $HOSTNAME --principal "" \
--token ${TOKEN}
# Configure and restart `sshd`
tee -a /etc/ssh/sshd_config > /dev/null <<EOF
# SSH CA Configuration
# This is the CA's public key, for authenticatin user certificates:
TrustedUserCAKeys $(step path)/certs/
# This is our host private key and certificate:
HostKey /etc/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ssh/
service ssh restart
# Now add a weekly cron script to rotate our host certificate.
cat <<EOF > /etc/cron.weekly/rotate-ssh-certificate
export STEPPATH=/root/.step
cd /etc/ssh && step ssh renew ssh_host_ecdsa_key --force 2> /dev/null
exit 0
chmod 755 /etc/cron.weekly/rotate-ssh-certificate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment