Powered by Redocly

SSH CA Roles

Different roles allow different restrictions on the type of certificate that can be signed and issued by a given ssh CA.

Create a new ssh ca role

Roles that define allowed principal names, certificate TTL, and other constraints for certificates issued by this SSH CA.

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
string <name>
key-type
string <enumeration>
Default: "ca"
  • otp: Can issue OTPs.
  • ca: Can issue client certificates.
cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64.

The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Valid when: ../key-type = "otp"

Limits the use of the OTP to a certain list of cidrs.

exclude-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64.

The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Valid when: ../key-type = "otp"

Exclude a certain list of cidrs from using the OTPs

username
string <username>

Valid when: ../key-type = "otp"

Username to associate with the OTP.

port
integer <uint16>
Default: 22

Valid when: ../key-type = "otp"

cert-key-type
string <enumeration>
Default: "ecdsa"
  • rsa
  • ecdsa
  • ed25519

Valid when: ../key-type = "ca"

cert-key-curve
string <enumeration>
Default: "nistp256"
  • nistp256: Also known as secp256r and prime256v1. See RFC 4492.
  • nistp384: Also known as secp384r. See RFC 4492.
  • nistp521: Also known as secp521r. See RFC 4492.

Valid when: ../cert-key-type = "ecdsa" and ../key-type = "ca"

cert-key-size
integer <uint16>
Default: 2048

Valid when: ../cert-key-type = "rsa" and ../key-type = "ca"

allowed-users
Array of strings

Valid when: ../key-type = "ca"

List of users that are allowed in certificates issued from this role. A * entry can be used to allow any user.

allowed-domains
Array of strings

Valid when: ../key-type = "ca"

List of allowed domains in certificates issued from this role. A * entry can be used to allow any domain.

ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Duration of OTP and certificates issued from this role.

max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Valid when: ../key-type = "ca"

Max TTL allowed when issuing certificates.

allowed-critical-options
Array of strings

Valid when: ../key-type = "ca"

No critical options are defined for host certificates. For user certificates the options force-command and source-address are defined.

allowed-extensions
Array of strings

Valid when: ../key-type = "ca"

No extensions are defined for host certificates at the moment. User certificates have the following possible extensions:

no-presence-required, permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty, permit-user-rc

default-critical-options
Array of strings

Valid when: ../key-type = "ca"

default-extensions
Array of strings

Valid when: ../key-type = "ca"

For example no-presence-required, permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty, permit-user-rc

allow-user-certs
boolean
Default: false

Valid when: ../key-type = "ca"

Allow user (client) certificates to be generated from this role.

allow-host-certs
boolean
Default: false

Valid when: ../key-type = "ca"

Allow host (server) certificates to be generated from this role.

allow-bare-domains
boolean
Default: false

Valid when: ../key-type = "ca"

Allow certificates to be issued to a domain listed in the allowed-domains setting, without any host part, ie allow a certificate to avassa.io when avassa.io is present in the allowed-domains setting. This in contrast to issuing a certificate to tio.avassa.io.

allow-subdomains
boolean
Default: false

Valid when: ../key-type = "ca"

Allow certificates to be issued to subdomains of the domains listed in allowed-domains.

allow-user-key-ids
boolean
Default: false

Valid when: ../key-type = "ca"

Controls if a custom key-id is allowed when issuing a certificate.

Key id is a free-form text field that is filled in by the CA at the time of signing; the intention is that the contents of this field are used to identify the identity principal in log messages.

allowed-user-key-lengths
Array of integers <uint16>

Valid when: ../key-type = "ca"

It is possible to limit the size of the RSA keys used in client certificates.

to (object) or sites (object) or deployments (object)
Responses
201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

409

Conflict (instance exists)

503

Service Unavailable (strongbox sealed)

post/v1/config/strongbox/ssh/ca/{ssh-ca-name}/roles
Request samples 
name: signer
key-type: ca
cert-key-type: rsa
cert-key-size: 2048
allowed-users:
  - root
  - ubuntu
  - jb
allowed-domains:
  - avassa.io
  - avassa.net
ttl: 50m
max-ttl: 1d
allowed-critical-options: []
allowed-extensions:
  - permit-X11-forwarding
  - permit-port-forwarding
  - permit-pty
  - permit-user-rc
default-critical-options: []
default-extensions:
  - permit-X11-forwarding
  - permit-pty
  - permit-user-rc
allow-user-certs: true
allow-host-certs: false
allow-bare-domains: true
allow-subdomains: true
allow-user-key-ids: false
allowed-user-key-lengths: []
distribute:
  to: inherit

Retrieve the configuration of all ssh ca roles

Roles that define allowed principal names, certificate TTL, and other constraints for certificates issued by this SSH CA.

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

where
string

Retrieve only items matching the given expression.

See section where

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/ssh/ca/{ssh-ca-name}/roles
Response samples 
- name: signer
  key-type: ca
  cert-key-type: rsa
  cert-key-size: 2048
  allowed-users:
    - root
    - ubuntu
    - jb
  allowed-domains:
    - avassa.io
    - avassa.net
  ttl: 50m
  max-ttl: 1d
  allowed-critical-options: []
  allowed-extensions:
    - permit-X11-forwarding
    - permit-port-forwarding
    - permit-pty
    - permit-user-rc
  default-critical-options: []
  default-extensions:
    - permit-X11-forwarding
    - permit-pty
    - permit-user-rc
  allow-user-certs: true
  allow-host-certs: false
  allow-bare-domains: true
  allow-subdomains: true
  allow-user-key-ids: false
  allowed-user-key-lengths: []
  distribute:
    to: inherit

Update an ssh ca role

Roles that define allowed principal names, certificate TTL, and other constraints for certificates issued by this SSH CA.

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

ssh-ca-role-name
required
string <name>

name of ssh-ca-role

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
string <name>
key-type
string <enumeration>
Default: "ca"
  • otp: Can issue OTPs.
  • ca: Can issue client certificates.
cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64.

The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Valid when: ../key-type = "otp"

Limits the use of the OTP to a certain list of cidrs.

exclude-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64.

The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Valid when: ../key-type = "otp"

Exclude a certain list of cidrs from using the OTPs

username
string <username>

Valid when: ../key-type = "otp"

Username to associate with the OTP.

port
integer <uint16>
Default: 22

Valid when: ../key-type = "otp"

cert-key-type
string <enumeration>
Default: "ecdsa"
  • rsa
  • ecdsa
  • ed25519

Valid when: ../key-type = "ca"

cert-key-curve
string <enumeration>
Default: "nistp256"
  • nistp256: Also known as secp256r and prime256v1. See RFC 4492.
  • nistp384: Also known as secp384r. See RFC 4492.
  • nistp521: Also known as secp521r. See RFC 4492.

Valid when: ../cert-key-type = "ecdsa" and ../key-type = "ca"

cert-key-size
integer <uint16>
Default: 2048

Valid when: ../cert-key-type = "rsa" and ../key-type = "ca"

allowed-users
Array of strings

Valid when: ../key-type = "ca"

List of users that are allowed in certificates issued from this role. A * entry can be used to allow any user.

allowed-domains
Array of strings

Valid when: ../key-type = "ca"

List of allowed domains in certificates issued from this role. A * entry can be used to allow any domain.

ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Duration of OTP and certificates issued from this role.

max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Valid when: ../key-type = "ca"

Max TTL allowed when issuing certificates.

allowed-critical-options
Array of strings

Valid when: ../key-type = "ca"

No critical options are defined for host certificates. For user certificates the options force-command and source-address are defined.

allowed-extensions
Array of strings

Valid when: ../key-type = "ca"

No extensions are defined for host certificates at the moment. User certificates have the following possible extensions:

no-presence-required, permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty, permit-user-rc

default-critical-options
Array of strings

Valid when: ../key-type = "ca"

default-extensions
Array of strings

Valid when: ../key-type = "ca"

For example no-presence-required, permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty, permit-user-rc

allow-user-certs
boolean
Default: false

Valid when: ../key-type = "ca"

Allow user (client) certificates to be generated from this role.

allow-host-certs
boolean
Default: false

Valid when: ../key-type = "ca"

Allow host (server) certificates to be generated from this role.

allow-bare-domains
boolean
Default: false

Valid when: ../key-type = "ca"

Allow certificates to be issued to a domain listed in the allowed-domains setting, without any host part, ie allow a certificate to avassa.io when avassa.io is present in the allowed-domains setting. This in contrast to issuing a certificate to tio.avassa.io.

allow-subdomains
boolean
Default: false

Valid when: ../key-type = "ca"

Allow certificates to be issued to subdomains of the domains listed in allowed-domains.

allow-user-key-ids
boolean
Default: false

Valid when: ../key-type = "ca"

Controls if a custom key-id is allowed when issuing a certificate.

Key id is a free-form text field that is filled in by the CA at the time of signing; the intention is that the contents of this field are used to identify the identity principal in log messages.

allowed-user-key-lengths
Array of integers <uint16>

Valid when: ../key-type = "ca"

It is possible to limit the size of the RSA keys used in client certificates.

to (object) or sites (object) or deployments (object)
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/strongbox/ssh/ca/{ssh-ca-name}/roles/{ssh-ca-role-name}
Request samples 
name: signer
key-type: ca
cert-key-type: rsa
cert-key-size: 2048
allowed-users:
  - root
  - ubuntu
  - jb
allowed-domains:
  - avassa.io
  - avassa.net
ttl: 50m
max-ttl: 1d
allowed-critical-options: []
allowed-extensions:
  - permit-X11-forwarding
  - permit-port-forwarding
  - permit-pty
  - permit-user-rc
default-critical-options: []
default-extensions:
  - permit-X11-forwarding
  - permit-pty
  - permit-user-rc
allow-user-certs: true
allow-host-certs: false
allow-bare-domains: true
allow-subdomains: true
allow-user-key-ids: false
allowed-user-key-lengths: []
distribute:
  to: inherit

Delete an ssh ca role

Roles that define allowed principal names, certificate TTL, and other constraints for certificates issued by this SSH CA.

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

ssh-ca-role-name
required
string <name>

name of ssh-ca-role

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/strongbox/ssh/ca/{ssh-ca-name}/roles/{ssh-ca-role-name}

Replace or create a new ssh ca role

Roles that define allowed principal names, certificate TTL, and other constraints for certificates issued by this SSH CA.

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

ssh-ca-role-name
required
string <name>

name of ssh-ca-role

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
string <name>
key-type
string <enumeration>
Default: "ca"
  • otp: Can issue OTPs.
  • ca: Can issue client certificates.
cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64.

The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Valid when: ../key-type = "otp"

Limits the use of the OTP to a certain list of cidrs.

exclude-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64.

The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Valid when: ../key-type = "otp"

Exclude a certain list of cidrs from using the OTPs

username
string <username>

Valid when: ../key-type = "otp"

Username to associate with the OTP.

port
integer <uint16>
Default: 22

Valid when: ../key-type = "otp"

cert-key-type
string <enumeration>
Default: "ecdsa"
  • rsa
  • ecdsa
  • ed25519

Valid when: ../key-type = "ca"

cert-key-curve
string <enumeration>
Default: "nistp256"
  • nistp256: Also known as secp256r and prime256v1. See RFC 4492.
  • nistp384: Also known as secp384r. See RFC 4492.
  • nistp521: Also known as secp521r. See RFC 4492.

Valid when: ../cert-key-type = "ecdsa" and ../key-type = "ca"

cert-key-size
integer <uint16>
Default: 2048

Valid when: ../cert-key-type = "rsa" and ../key-type = "ca"

allowed-users
Array of strings

Valid when: ../key-type = "ca"

List of users that are allowed in certificates issued from this role. A * entry can be used to allow any user.

allowed-domains
Array of strings

Valid when: ../key-type = "ca"

List of allowed domains in certificates issued from this role. A * entry can be used to allow any domain.

ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Duration of OTP and certificates issued from this role.

max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Valid when: ../key-type = "ca"

Max TTL allowed when issuing certificates.

allowed-critical-options
Array of strings

Valid when: ../key-type = "ca"

No critical options are defined for host certificates. For user certificates the options force-command and source-address are defined.

allowed-extensions
Array of strings

Valid when: ../key-type = "ca"

No extensions are defined for host certificates at the moment. User certificates have the following possible extensions:

no-presence-required, permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty, permit-user-rc

default-critical-options
Array of strings

Valid when: ../key-type = "ca"

default-extensions
Array of strings

Valid when: ../key-type = "ca"

For example no-presence-required, permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty, permit-user-rc

allow-user-certs
boolean
Default: false

Valid when: ../key-type = "ca"

Allow user (client) certificates to be generated from this role.

allow-host-certs
boolean
Default: false

Valid when: ../key-type = "ca"

Allow host (server) certificates to be generated from this role.

allow-bare-domains
boolean
Default: false

Valid when: ../key-type = "ca"

Allow certificates to be issued to a domain listed in the allowed-domains setting, without any host part, ie allow a certificate to avassa.io when avassa.io is present in the allowed-domains setting. This in contrast to issuing a certificate to tio.avassa.io.

allow-subdomains
boolean
Default: false

Valid when: ../key-type = "ca"

Allow certificates to be issued to subdomains of the domains listed in allowed-domains.

allow-user-key-ids
boolean
Default: false

Valid when: ../key-type = "ca"

Controls if a custom key-id is allowed when issuing a certificate.

Key id is a free-form text field that is filled in by the CA at the time of signing; the intention is that the contents of this field are used to identify the identity principal in log messages.

allowed-user-key-lengths
Array of integers <uint16>

Valid when: ../key-type = "ca"

It is possible to limit the size of the RSA keys used in client certificates.

to (object) or sites (object) or deployments (object)
Responses
201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/strongbox/ssh/ca/{ssh-ca-name}/roles/{ssh-ca-role-name}
Request samples 
name: signer
key-type: ca
cert-key-type: rsa
cert-key-size: 2048
allowed-users:
  - root
  - ubuntu
  - jb
allowed-domains:
  - avassa.io
  - avassa.net
ttl: 50m
max-ttl: 1d
allowed-critical-options: []
allowed-extensions:
  - permit-X11-forwarding
  - permit-port-forwarding
  - permit-pty
  - permit-user-rc
default-critical-options: []
default-extensions:
  - permit-X11-forwarding
  - permit-pty
  - permit-user-rc
allow-user-certs: true
allow-host-certs: false
allow-bare-domains: true
allow-subdomains: true
allow-user-key-ids: false
allowed-user-key-lengths: []
distribute:
  to: inherit

Retrieve the configuration of an ssh ca role

Roles that define allowed principal names, certificate TTL, and other constraints for certificates issued by this SSH CA.

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

ssh-ca-role-name
required
string <name>

name of ssh-ca-role

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

where
string

Retrieve only items matching the given expression.

See section where

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/ssh/ca/{ssh-ca-name}/roles/{ssh-ca-role-name}
Response samples 
name: signer
key-type: ca
cert-key-type: rsa
cert-key-size: 2048
allowed-users:
  - root
  - ubuntu
  - jb
allowed-domains:
  - avassa.io
  - avassa.net
ttl: 50m
max-ttl: 1d
allowed-critical-options: []
allowed-extensions:
  - permit-X11-forwarding
  - permit-port-forwarding
  - permit-pty
  - permit-user-rc
default-critical-options: []
default-extensions:
  - permit-X11-forwarding
  - permit-pty
  - permit-user-rc
allow-user-certs: true
allow-host-certs: false
allow-bare-domains: true
allow-subdomains: true
allow-user-key-ids: false
allowed-user-key-lengths: []
distribute:
  to: inherit

Retrieve the state of all ssh ca roles

Roles that define allowed principal names, certificate TTL, and other constraints for certificates issued by this SSH CA.

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

where
string

Retrieve only items matching the given expression.

See section where

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/ssh/ca/{ssh-ca-name}/roles
Response samples 
- name: signer
  key-type: ca
  cert-key-type: rsa
  cert-key-size: 2048
  allowed-users:
    - root
    - ubuntu
    - jb
  allowed-domains:
    - avassa.io
    - avassa.net
  ttl: 50m
  max-ttl: 1d
  allowed-critical-options: []
  allowed-extensions:
    - permit-X11-forwarding
    - permit-port-forwarding
    - permit-pty
    - permit-user-rc
  default-critical-options: []
  default-extensions:
    - permit-X11-forwarding
    - permit-pty
    - permit-user-rc
  allow-user-certs: true
  allow-host-certs: false
  allow-bare-domains: true
  allow-subdomains: true
  allow-user-key-ids: false
  allowed-user-key-lengths: []
  distribute:
    to: inherit
  distribution-status:
    to: none

Retrieve the state of an ssh ca role

Roles that define allowed principal names, certificate TTL, and other constraints for certificates issued by this SSH CA.

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

ssh-ca-role-name
required
string <name>

name of ssh-ca-role

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

where
string

Retrieve only items matching the given expression.

See section where

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/ssh/ca/{ssh-ca-name}/roles/{ssh-ca-role-name}
Response samples 
name: signer
key-type: ca
cert-key-type: rsa
cert-key-size: 2048
allowed-users:
  - root
  - ubuntu
  - jb
allowed-domains:
  - avassa.io
  - avassa.net
ttl: 50m
max-ttl: 1d
allowed-critical-options: []
allowed-extensions:
  - permit-X11-forwarding
  - permit-port-forwarding
  - permit-pty
  - permit-user-rc
default-critical-options: []
default-extensions:
  - permit-X11-forwarding
  - permit-pty
  - permit-user-rc
allow-user-certs: true
allow-host-certs: false
allow-bare-domains: true
allow-subdomains: true
allow-user-key-ids: false
allowed-user-key-lengths: []
distribute:
  to: inherit
distribution-status:
  to: none

Invoke the get-otp operation

Generate a one-time password (OTP) for SSH host authentication. The OTP is used by the SSH helper on the target host to verify the connecting user's identity against this CA role.

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

ssh-ca-role-name
required
string <name>

name of ssh-ca-role

Request Body schema:
ip
required
string <ip-address>
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/ssh/ca/{ssh-ca-name}/roles/{ssh-ca-role-name}/get-otp
Request samples 
ip: 192.168.0.55
Response samples 
ip: 192.168.0.55
key: fa683720-f834-4e9f-b04c-152ec8fa5303
key-type: otp
port: 22
username: ubuntu
expires: 1970-01-01T00:27:21.994155Z

Invoke the issue-cert operation

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

ssh-ca-role-name
required
string <name>

name of ssh-ca-role

Request Body schema:
public-key
string
ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

valid-principals
required
Array of strings
cert-type
string <enumeration>
Default: "user"
  • user
  • host
key-id
string

key id is a free-form text field that is filled in by the CA at the time of signing; the intention is that the contents of this field are used to identify the identity principal in log messages.

critical-options
Array of strings
extensions
Array of strings

For example no-presence-required, permit-X11-forwarding, permit-agent-forwarding, permit-port-forwarding, permit-pty, permit-user-rc

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/ssh/ca/{ssh-ca-name}/roles/{ssh-ca-role-name}/issue-cert
Request samples 
public-key: |
  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDzGm8UaHf1vbDr4J4OYMivONjA9GHjEw
  il8RER57cIrh2OIObGixCiKlqUUUrAdjqa7z1VUb0Xfsn3wu5+0VY5F/XNai7MvTNappSx
  QDN0vRzLzDMrdkFskscYVcw/Cfp/xo36nXl4IJLrOB/F6CZRsgP1Mq3YH3tEO7uU71uLTd
  1kSYh7w/2g4ujJ4X10XMaLG3+UfTGPjWj/YXsSHKYtGctUDt0U+7AjmM9jz4Ult1XXHHvU
  3rRm5fXaNbEsIZxEX/R7Gf090GmRNuJeKD7sCFT2trgepOOJqCYqUZZPbDNbO5ElM2VlK/
  1AAzDgWPSMuZmSw1ibg3OyZsQcoHTr jb@tio
ttl: 12h
valid-principals:
  - ubuntu
cert-type: user
key-id: admin-ssh
critical-options: []
extensions:
  - permit-X11-forwarding
  - permit-pty
Response samples 
cert: |
  ecdsa-sha2-nistp521-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHA1MjEtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgKGtKDBzjkBlbeH6W5kJOFtHVoy7UW5It/F4TwXgdO2IAAAAIbmlzdHA1MjEAAACFBAFX+SYuOoSEMESTuvHzjuog/ULOe8w4TxGe5nGQ/HHEspQWMBjvsXOsokkStlpy+8swMs4+RRiSb+3OmQS/i5JVLAGRvIrjhRKSUZmN6wzCj0NQO07aAYOxQwVRKmdPQNtqMJJyLojSiITa/ipFPFanJsIAAyIR4AFQqSCQQfZGjsBHjAAAAAAAAAABAAAAAQAAABh1c2VycGFzcy1hZG1pbkB0ZWxjby5jb20AAAAIAAAABHJvb3QAAAAAAAAAAAAAAABh3q7uAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE4P/oEHY6cXExAEgDu/d3U83M8m3PVn/bBPvev505I3OBBnvk6mLm2GaCs/ItPPaaWqgebukI6tFqELf0uCpCsAAAAGUAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEoAAAAhAIRUj+Sa2UZsRArHV7lLY9nyMB/qhnhRswWCsBjya7TYAAAAIQD1WZfWh69T9cacp1bvkBNc2zD9qjSy/Jahu1bv1t5AcQ== userpass-admin@telco.com
public-key: |
  ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFX+SYuOoSEMESTuvHzjuog/ULOe8w4TxGe5nGQ/HHEspQWMBjvsXOsokkStlpy+8swMs4+RRiSb+3OmQS/i5JVLAGRvIrjhRKSUZmN6wzCj0NQO07aAYOxQwVRKmdPQNtqMJJyLojSiITa/ipFPFanJsIAAyIR4AFQqSCQQfZGjsBHjA== root
private-key: |
  -----BEGIN OPENSSH PRIVATE KEY-----
  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAArAAAABNlY2RzYS
  1zaGEyLW5pc3RwNTIxAAAACG5pc3RwNTIxAAAAhQQBV/kmLjqEhDBEk7rx847qIP1CznvM
  OE8RnuZxkPxxxLKUFjAY77FzrKJJErZacvvLMDLOPkUYkm/tzpkEv4uSVSwBkbyK44USkl
  GZjesMwo9DUDtO2gGDsUMFUSpnT0DbajCSci6I0oiE2v4qRTxWpybCAAMiEeABUKkgkEH2
  Ro7AR4wAAAEAOnymeTp8pnkAAAATZWNkc2Etc2hhMi1uaXN0cDUyMQAAAAhuaXN0cDUyMQ
  AAAIUEAVf5Ji46hIQwRJO68fOO6iD9Qs57zDhPEZ7mcZD8ccSylBYwGO+xc6yiSRK2WnL7
  yzAyzj5FGJJv7c6ZBL+LklUsAZG8iuOFEpJRmY3rDMKPQ1A7TtoBg7FDBVEqZ09A22owkn
  IuiNKIhNr+KkU8VqcmwgADIhHgAVCpIJBB9kaOwEeMAAAAQVsiFfWJRwOpdHK11itD7ejS
  pSf7uiKVPZZ88jQRaT8ky0fjUbh1AtTiuFpC/4rv0BN8ugFLwV0gzcsjapLEzbFvAAAAAA
  ECAw==
  -----END OPENSSH PRIVATE KEY-----
ca-public-key: |
  ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHSLaSvbPs7OwB1E6eTvUlvKP+zt1K9GnuYtPvkmuaN/poh3AXcF2mx/213GEvwiUrn893Och8+izAXdo9NyNGc= strongbox
serial: 1
expires: 2022-01-27T09:57:48.000000Z

Invoke the validate-otp operation

Validate an OTP generated by get-otp. Called by the SSH helper on the target host to verify that the OTP matches a previously issued credential for the connecting client IP address.

SecurityaccessToken
Request
path Parameters
ssh-ca-name
required
string <name>

name of ssh-ca

Request Body schema:
otp
required
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/ssh/ca/{ssh-ca-name}/validate-otp
Request samples 
otp: e947cddf-1100-4ef7-b155-fd15aedb7c92
Response samples 
ip: 192.168.0.55
username: ubuntu
role-name: otp
➔ Next to SSH CAs