Goal:

• Our customers in regulated environments are asked to use SSH certificates to avoid TOFU model and to be able to re-generate the private key of the Capsule's key efficiently.
• The need for renewing the key is e.g. once a year.
• We need to provide an easy way to use existing SSH CA infrastructure, not necessarily automating the creation and management of it

Acceptance Criteria:

• Customer must be able to provide public key, private key and certificate to the Capsule that should be used for User authentication during the REX connection
• Customer must be able to provide CA certificate that should be trusted when connecting to all target hosts from Capsule.
• Once provided/configured, the Capsule must trust target host certificate if it was signed by the provided CA. The host also needs to successfully authenticate the user without deploying the public key to the authorized_keys file.
• Customer should not setup file permissions and ownership manually, the configuration must be kept also during Satellite upgrade
• Customer must be able to easily reconfigure all 4 assets on the regular basis
• Registration and provisioning flows must configure the sshd on the registered/provisioned machine accordingly

Open questions:

• Do we need to support also only subset of the functionality - Host keys vs User keys?
• Is this the recommended way?
• Should this become the only way?
• Does it work with Ansible?
• Do we want to provide recommendation on the expiration, use of principals or any other feature of the functionality?

For the initial research, see the existing KCS