Program can't find imported certificates

[Carlgo11]

I'm unable to sign requests as ssh-cert-authority doesn't seem to be able to find the keys that are stored in ssh-agent.

Steps to reproduce

Server

Generating CA key:

root@server:/$ ssh-keygen -C 'certificate_authority' -f my_ssh_cert_authority
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in my_ssh_cert_authority
Your public key has been saved in my_ssh_cert_authority.pub
The key fingerprint is:
SHA256:JlpLr7dc6jnF0CijxBpd6XPaSK9BCegZnvxgh8jJlVY certificate_authority
The key's randomart image is:
+---[RSA 3072]----+
|   .oE .         |
|  o+. o          |
|o=+B + . o       |
|.+@ = O + .      |
| . B ++XSo       |
|  . o++=o o      |
|    . .o...      |
|      .oo+       |
|      .o*o       |
+----[SHA256]-----+

Getting MD5 of CA key:

root@server:/$ ssh-keygen -l -E md5 -f my_ssh_cert_authority
3072 MD5:ed:86:c2:b0:7d:af:64:c7:ae:62:bf:f3:2c:e8:88:18 certificate_authority (RSA)

/root/.ssh_ca/sign_certd_config.json:

{
  "production":{
        "NumberSignersRequired":-1,
        "MaxCertLifetime":86400,
        "SigningKeyFingerprint":"ed:86:c2:b0:7d:af:64:c7:ae:62:bf:f3:2c:e8:88:18",
        "AuthorizedUsers":{
            "e8:b4:55:04:79:37:ef:df:d4:30:53:ef:41:2b:46:ef":"user@client"
        }
  }
}

Importing key and starting ssh-cert-authority server:

root@server:/$ eval `ssh-agent -s`; ssh-add my_ssh_cert_authority; ssh-add -E md5 -l; ssh-agent ssh-cert-authority runserver
Agent pid 8
Identity added: my_ssh_cert_authority (certificate_authority)
3072 MD5:ed:86:c2:b0:7d:af:64:c7:ae:62:bf:f3:2c:e8:88:18 certificate_authority (RSA)
Server running version 1.7.1
Using SSH agent at /tmp/ssh-XXXXXXFmAAPo/agent.1
Server started with config map[string]ssh_ca_util.SignerdConfig{"production":ssh_ca_util.SignerdConfig{SigningKeyFingerprint:"ed:86:c2:b0:7d:af:64:c7:ae:62:bf:f3:2c:e8:88:18", AuthorizedSigners:map[string]string(nil), AuthorizedUsers:map[string]string{"e8:b4:55:04:79:37:ef:df:d4:30:53:ef:41:2b:46:ef":"user@client"}, NumberSignersRequired:-1, SlackUrl:"", SlackChannel:"", MaxCertLifetime:86400, PrivateKeyFile:"", KmsRegion:"", CriticalOptions:map[string]string(nil)}}

Client

/home/user/.ssh_ca/requster_config.json:

{
    "production": {
        "PublicKeyPath": "/home/user/.ssh/id_rsa.pub",
        "SignerUrl": "http://server.local:8080/"
    }
}

Making a request:

user@client:~$ ./ssh-cert-authority r -r testing -p user -e production
Cert request id: MKEWDZH3LZ2W4

Server

Request response:

Received 0 signatures for MKEWDZH3LZ2W4, signing now.
Couldn't find signing key for request MKEWDZH3LZ2W4, unable to sign request: Unable to find your SSH key (ed:86:c2:b0:7d:af:64:c7:ae:62:bf:f3:2c:e8:88:18) in agent. Consider ssh-add
Cert request serial 7100313923624007022 id MKEWDZH3LZ2W4 env production from e8:b4:55:04:79:37:ef:df:d4:30:53:ef:41:2b:46:ef (user@client) @ 172.21.0.1:44670 principals [user] valid from 1642207193 to 1642214513 for 'testing'

[bobveznat]

Thanks for the super detailed report here. As I followed your steps to reproduce I noticed the issue:

eval `ssh-agent -s`; ssh-add my_ssh_cert_authority; ssh-add -E md5 -l; ssh-agent ssh-cert-authority runserver

The last piece of the command "ssh-agent ssh-cert...". That is starting a brand new ssh-agent and running the server within that context. If you change your command to be:

eval `ssh-agent -s`; ssh-add my_ssh_cert_authority; ssh-add -E md5 -l; ssh-cert-authority runserver

You should be good to go. Let me know if this fixes things for you or if you have any other questions.

[Carlgo11]

Thanks! That did indeed do the trick :partying_face:

Do you have any detailed examples of sign_certd_config.json? I'm trying to figure out how to specify critical options and extensions. A sub directory in the examples/ folder with the required JSON files along with comments might be a good idea?