trfore.smallstep.step_ssh role – Request SSH Certificate from step CA Server

Note

This role is part of the trfore.smallstep collection (version 1.1.2).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install trfore.smallstep.

To use it in a playbook, specify: trfore.smallstep.step_ssh.

Entry point main – Request SSH Certificate from step CA Server

New in trfore.smallstep 1.1.0

Synopsis

• This role will request an SSH host certificate from a step CA server and automatically renew it.

• It will use the default JWK provider for the initial request and the SSHPOP provider for renewal.

• SSH host certificates have a default expiration of 30 days, the renewal service is a systemd timer that checks on a daily basis (07:00 UTC / 02:00 EST ± 00:15) and renews when the certificate exceeds 66% of its lifetime.

• The role will also configure the host to accept user certificates.

Parameters

Parameter	Comments
step_ca_path path	Step CA folder containing the CA configuration and root certificate. Default: "/etc/step-ca/"
step_ssh_key_pair_name string	Name of the SSH key pair within `/etc/ssh/` to use for generating a certificate. Default: "ssh_host_ecdsa_key"
step_ssh_principal_0 string	Primary principle to add the certificate, defaults to the to the FQDN of the host. Default: "ansible_fqdn"
step_ssh_principal_1 string	Optional, additional principle to add the certificate, e.g. host name or IP address.
step_ssh_provisioner string / required	The name of the provisioner to use. The default JWK provisioner is the first word in the CA name, i.e. `Example.com` in `Example.com CA`.
step_ssh_provisioner_password string	Password for provisioner.
step_ssh_token string	One-time token used to authenticate with the CA.

Collection links

• Issue Tracker
• Repository (Sources)
• Submit a Bug Report
• Request a Feature