--- id: capability.security.ssh-certificate-issuance name: SSH Certificate Issuance summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface; steward operational access routing across NetKingdom security lanes. owner: ops-warden status: draft domain: helix_forge tags: - ssh - certificate - ca - ops-warden - openbao - security maturity: discovery: current: D4 target: D5 confidence: medium rationale: > SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command contract are documented; production OpenBao integration is documented but engine deployment lives in railiance-platform. availability: current: A3 target: A5 confidence: medium rationale: > Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and other callers integrate via cert_command without backend-specific branching. external_evidence: completeness: level: C3 name: Functional Core confidence: medium basis: scope_vs_intent_and_consumer_expectations satisfied_expectations: - local and OpenBao/Vault-compatible signing backends - TTL policy enforcement per actor type - principals inventory and cert-side scorecard - signatures audit log and stale-cert cleanup - cert_command stdout contract for ops-bridge broken_expectations: - host-side principal deployment not owned here - OpenBao SSH engine mount not deployed from this repo out_of_scope_expectations: - long-lived API key custody - tunnel lifecycle management - Vault/OpenBao cluster operations reliability: level: R2 name: Tolerable confidence: medium basis: consumer_quality_signals known_reliability_risks: - production signing depends on OpenBao availability and token policy - local backend requires protected CA key handling by operators discovery: intent: > Give the ops fleet short-lived SSH credentials for humans, agents, and automations without static keys, through a single cert_command surface that callers can rely on regardless of CA backend; route non-SSH credential needs to the correct NetKingdom subsystems (OpenBao, flex-auth, key-cape). includes: - certificate signing for adm, agt, and atm actors - actor principals inventory and TTL policy - cert_command interface (`warden sign`) - cert-side compliance scorecard and signatures log - ops-ssh-wrapper for automatic cert acquisition - NetKingdom credential routing and alignment documentation excludes: - tunnel lifecycle - host /etc/ssh/auth_principals deployment - OpenBao or Vault cluster setup - long-lived secret storage assumptions: - callers supply actor public keys; humans self-issue admin keys - production platform uses OpenBao with Vault-compatible SSH engine API use_cases: - ops-bridge tunnel cert_command - Inter-Hub bootstrap short-lived agent access research_memos: - ops-warden/SCOPE.md - ops-warden/wiki/CertCommandInterface.md - ops-warden/wiki/OpsWardenConfig.md availability: current_level: A3 target_level: A5 current_artifacts: - ops-warden/src/warden/ - ops-warden/wiki/CertCommandInterface.md - ops-warden/wiki/OpsWardenConfig.md target_artifacts: - packaged ops-warden release with documented OpenBao role bootstrap consumption_modes: - CLI - cert_command subprocess relations: depends_on: [] supports: [] related_to: [] consumer_guidance: recommended_for: - issuing short-lived SSH certs for ops-bridge tunnels - agent or automation access with TTL-bound principals - checking cert-side compliance before rotation windows - orienting dev workers on which NetKingdom subsystem owns each credential type not_recommended_for: - storing OpenRouter or Inter-Hub API keys - replacing OpenBao deployment or host SSH hardening playbooks - static-key-only legacy access (use ops-bridge static key mode instead) known_limitations: - "VaultCA backend config key remains backend: vault for API compatibility" - host-side scorecard checks live in railiance-infra --- # SSH Certificate Issuance ops-warden is the custodian-domain SSH CA tool. It signs short-lived certificates, maintains the actor inventory, and exposes `warden sign` as the cert_command contract for ops-bridge and other callers. Production environments point the vault-compatible backend at OpenBao; labs use the local ssh-keygen CA backend without platform dependencies.