ops-warden/registry/capabilities/capability.security.ssh-certificate-issuance.md

id, name, summary, owner, status, domain, tags, maturity, external_evidence, discovery, availability, relations, consumer_guidance

id	name	summary	owner	status	domain	tags	maturity	external_evidence	discovery	availability	relations	consumer_guidance
capability.security.ssh-certificate-issuance	SSH Certificate Issuance	Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface.	ops-warden	draft	helix_forge	ssh certificate ca ops-warden openbao security	discovery availability current target confidence rationale D4 D5 medium SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command contract are documented; production OpenBao integration is documented but engine deployment lives in railiance-platform. current target confidence rationale A3 A5 medium Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and other callers integrate via cert_command without backend-specific branching.	completeness reliability level name confidence basis satisfied_expectations broken_expectations out_of_scope_expectations C3 Functional Core medium scope_vs_intent_and_consumer_expectations local and OpenBao/Vault-compatible signing backends TTL policy enforcement per actor type principals inventory and cert-side scorecard signatures audit log and stale-cert cleanup cert_command stdout contract for ops-bridge host-side principal deployment not owned here OpenBao SSH engine mount not deployed from this repo long-lived API key custody tunnel lifecycle management Vault/OpenBao cluster operations level name confidence basis known_reliability_risks R2 Tolerable medium consumer_quality_signals production signing depends on OpenBao availability and token policy local backend requires protected CA key handling by operators	intent includes excludes assumptions use_cases research_memos Give the ops fleet short-lived SSH credentials for humans, agents, and automations without static keys, through a single cert_command surface that callers can rely on regardless of CA backend. certificate signing for adm, agt, and atm actors actor principals inventory and TTL policy cert_command interface (`warden sign`) cert-side compliance scorecard and signatures log ops-ssh-wrapper for automatic cert acquisition tunnel lifecycle host /etc/ssh/auth_principals deployment OpenBao or Vault cluster setup long-lived secret storage callers supply actor public keys; humans self-issue admin keys production platform uses OpenBao with Vault-compatible SSH engine API ops-bridge tunnel cert_command Inter-Hub bootstrap short-lived agent access ops-warden/SCOPE.md ops-warden/wiki/CertCommandInterface.md ops-warden/wiki/OpsWardenConfig.md	current_level target_level current_artifacts target_artifacts consumption_modes A3 A5 ops-warden/src/warden/ ops-warden/wiki/CertCommandInterface.md ops-warden/wiki/OpsWardenConfig.md packaged ops-warden release with documented OpenBao role bootstrap CLI cert_command subprocess	depends_on supports related_to	recommended_for not_recommended_for known_limitations issuing short-lived SSH certs for ops-bridge tunnels agent or automation access with TTL-bound principals checking cert-side compliance before rotation windows storing OpenRouter or Inter-Hub API keys replacing OpenBao deployment or host SSH hardening playbooks static-key-only legacy access (use ops-bridge static key mode instead) VaultCA backend config key remains backend: vault for API compatibility host-side scorecard checks live in railiance-infra

SSH Certificate Issuance

ops-warden is the custodian-domain SSH CA tool. It signs short-lived certificates, maintains the actor inventory, and exposes warden sign as the cert_command contract for ops-bridge and other callers.

Production environments point the vault-compatible backend at OpenBao; labs use the local ssh-keygen CA backend without platform dependencies.