# SSH Certificate Signing Tests

This file contains the new test class `TestCertificateSigning` that should be appended to the end of `test_ssh_workflows.py`.

## Test Class: TestCertificateSigning

The class includes the following tests:

1. `test_sign_certificate_default_principals_positive` (SSH-CERT-01)
2. `test_sign_certificate_custom_principals_positive` (SSH-CERT-02)
3. `test_sign_certificate_unverified_key_negative` (SSH-CERT-04)
4. `test_sign_certificate_no_principals_negative` (SSH-CERT-05)
5. `test_sign_certificate_unauthorized_principals_negative` (SSH-CERT-06)
6. `test_sign_certificate_suspended_account_negative` (SSH-CERT-07)
7. `test_sign_certificate_no_ca_negative` (SSH-CERT-08)
8. `test_sign_certificate_cross_user_key_negative` (SSH-CERT-09)

## Implementation Details

The tests require:
- A setup helper function `_setup_cert_env` that creates a user with verified key, org membership, principal assignment, and CA
- Use of `tempfile`, `subprocess`, `os`, and `base64` for key generation and signing
- Proper error assertions using `assert_error` helper
- Direct database manipulation to suspend users for the suspended account test