-
|
Hi, all step ssh certificates seem to be ecdsa. The host key can be created using crypto --kty=OKP --curve=ed25519, but the step ssh certificate does not have these options. Should this be possible, or is this missing? If so, are you planning to get the more secure ed25519 anytime soon? Thanks Peter |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
This should be possible, as a workaround you can create a certificate from a previously created key using the # create private (ed) and public (ed.pub) keys
ssh-keygen -t ed25519 -f ed
# Sign ed.pub
step ssh certificate --sign [email protected] ed.pubOr with step only: # create keypair
step crypto keypair --kty OKP ed25519.pem ed25519.priv
# Convert public key to ssh format
step crypto key format --ssh --out ed25519.pub ed25519.pem
# Sign ed25519.pub
step ssh certificate --sign [email protected] ed25519.pubYou can do the same for hosts using for example the previously generated key in |
Beta Was this translation helpful? Give feedback.
-
|
Perfect. Thanks, that helps already. |
Beta Was this translation helpful? Give feedback.
-
|
I've added this new issue to track the feature in the cli smallstep/cli#477 |
Beta Was this translation helpful? Give feedback.
This should be possible, as a workaround you can create a certificate from a previously created key using the
--signflag:Or with step only:
You can do the same for hosts using for example the previously generated key in
/etc/sshdand using--sign --host