Morten LinderudHas there been any work to issue ssh certificates through ACME?
You can pass custom content-type headers, so it should be possible to jam it inn there?
hslatman@Foxboron I hacked on it a bit, and have a partial implementation (for host certs, primarily). The main decision is what challenge channel to use: do something custom on the SSH level/protocol, so that the CA can verify the SSH server directly (similar to HTTP/TLS challenges), or go “out-of-band” and verify the SSH host is the same as e.g. HTTP host (similarities to DNS challenge). The latter is simpler to implement, and probably what you are thinking of too.
@hslatman
I'm thinking just add `ssh-certificate` to the Content-Type in the ACME response to fetch the certificate.
Map the CSR to the ssh certificate?
It should be enough?
@Foxboron either with custom extensions, and/or some assumptions that e.g. subject / dns / email / ip are mapping to requested SSH principals can work. In step-ca we do something like that.
But keep in mind the challenge verification: for host certs you could do an HTTP/TLS/DNS challenge, but then the SSH server (or some orchestration) has to serve the challenge too.