etc/ssh_ca.conf


[default]
# Certificate validity period (in hours)
# Default: 1 hour
cert_validity_hours=1

# Maximum certificate validity allowed (in hours)
# Default: 24 hours
# Prevents users from requesting certificates valid longer than this
max_cert_validity_hours=24

# Certificate Request Limits
# Maximum number of certificates per user
max_certs_per_user=100

# Certificate revocation list (CRL) configuration
crl_enabled=true
# CRL endpoint URL - set to your domain where CRL is served
crl_endpoint=https://ca.example.com/crl
# CRL refresh interval (in hours)
crl_refresh_hours=24

# CA Key Configuration
# Default key type for new CAs (ed25519, rsa, ecdsa)
default_key_type=ed25519

# RSA key size (if using RSA)
rsa_key_bits=4096

# Private key encryption
# Method: kms (AWS Key Management Service) or local (for development only)
private_key_encryption=kms
# AWS KMS Key ID (only used if private_key_encryption=kms)
aws_kms_key_id=${SSH_CA_KMS_KEY_ID}

# SSH Certificate Extensions
# Default extensions to add to certificates
extensions_enabled=true
extensions=permit-X11-forwarding,permit-agent-forwarding,permit-pty,permit-port-forwarding,permit-user-rc

# Critical Options
# Critical options to add to certificates (rarely needed)
critical_options_enabled=false

# Certificate Field Limits
# Maximum number of principals per certificate (SSH limitation is 256)
max_principals_per_cert=256

# Maximum length for key_id field
max_key_id_length=255

# Logging Configuration
# Log level for SSH CA operations (DEBUG, INFO, WARNING, ERROR)
log_level=INFO

# Audit Configuration
# Log all certificate signing operations
audit_enabled=true

# Security Configuration
# Require SSH key verification before issuing certificates
require_key_verification=true

# Verification challenge max age (in hours)
verification_challenge_max_age=24

# Rate limiting for certificate signing
# Max certificates per minute per user
rate_limit_certs_per_minute=5

# Request timeout (in seconds)
request_timeout=30

# Cleanup Configuration
# Automatically delete unverified SSH keys after this many days
auto_delete_unverified_days=30

# Archive expired certificates after this many days
archive_expired_days=365

# CLI OAuth Configuration (for secuird-cli.py compatibility)
# OAuth token endpoint for CLI clients
oauth_token_endpoint=/api/v1/oauth2/token
# OAuth userinfo endpoint for CLI clients
oauth_userinfo_endpoint=/api/v1/oauth2/userinfo

[development]
# Override settings for development environment
private_key_encryption=local
ca_key_path=/home/james/cory/secuird/certs/ca-users
log_level=DEBUG
cert_validity_hours=24
max_cert_validity_hours=720
rate_limit_certs_per_minute=100
require_key_verification=false

[production]
# Override settings for production environment
private_key_encryption=kms
log_level=WARNING
cert_validity_hours=1
max_cert_validity_hours=24
rate_limit_certs_per_minute=5
require_key_verification=true

[testing]
# Override settings for testing environment
private_key_encryption=local
log_level=DEBUG
cert_validity_hours=1
max_cert_validity_hours=24
rate_limit_certs_per_minute=100
require_key_verification=true
audit_enabled=false
Feat: Added CA-merged with Securid-Principals, Depart, Client-CLI 2026-02-27 21:59:01 +05:45
			`[default]`
			`# Certificate validity period (in hours)`
			`# Default: 1 hour`
			`cert_validity_hours=1`

			`# Maximum certificate validity allowed (in hours)`
			`# Default: 24 hours`
			`# Prevents users from requesting certificates valid longer than this`
			`max_cert_validity_hours=24`

			`# Certificate Request Limits`
			`# Maximum number of certificates per user`
			`max_certs_per_user=100`

			`# Certificate revocation list (CRL) configuration`
			`crl_enabled=true`
			`# CRL endpoint URL - set to your domain where CRL is served`
			`crl_endpoint=https://ca.example.com/crl`
			`# CRL refresh interval (in hours)`
			`crl_refresh_hours=24`

			`# CA Key Configuration`
			`# Default key type for new CAs (ed25519, rsa, ecdsa)`
			`default_key_type=ed25519`

			`# RSA key size (if using RSA)`
			`rsa_key_bits=4096`

			`# Private key encryption`
			`# Method: kms (AWS Key Management Service) or local (for development only)`
			`private_key_encryption=kms`
			`# AWS KMS Key ID (only used if private_key_encryption=kms)`
			`aws_kms_key_id=${SSH_CA_KMS_KEY_ID}`

			`# SSH Certificate Extensions`
			`# Default extensions to add to certificates`
			`extensions_enabled=true`
			`extensions=permit-X11-forwarding,permit-agent-forwarding,permit-pty,permit-port-forwarding,permit-user-rc`

			`# Critical Options`
			`# Critical options to add to certificates (rarely needed)`
			`critical_options_enabled=false`

			`# Certificate Field Limits`
			`# Maximum number of principals per certificate (SSH limitation is 256)`
			`max_principals_per_cert=256`

			`# Maximum length for key_id field`
			`max_key_id_length=255`

			`# Logging Configuration`
			`# Log level for SSH CA operations (DEBUG, INFO, WARNING, ERROR)`
			`log_level=INFO`

			`# Audit Configuration`
			`# Log all certificate signing operations`
			`audit_enabled=true`

			`# Security Configuration`
			`# Require SSH key verification before issuing certificates`
			`require_key_verification=true`

			`# Verification challenge max age (in hours)`
			`verification_challenge_max_age=24`

			`# Rate limiting for certificate signing`
			`# Max certificates per minute per user`
			`rate_limit_certs_per_minute=5`

			`# Request timeout (in seconds)`
			`request_timeout=30`

			`# Cleanup Configuration`
			`# Automatically delete unverified SSH keys after this many days`
			`auto_delete_unverified_days=30`

			`# Archive expired certificates after this many days`
			`archive_expired_days=365`

			`# CLI OAuth Configuration (for secuird-cli.py compatibility)`
			`# OAuth token endpoint for CLI clients`
			`oauth_token_endpoint=/api/v1/oauth2/token`
			`# OAuth userinfo endpoint for CLI clients`
			`oauth_userinfo_endpoint=/api/v1/oauth2/userinfo`

			`[development]`
			`# Override settings for development environment`
			`private_key_encryption=local`
			`ca_key_path=/home/james/cory/secuird/certs/ca-users`
			`log_level=DEBUG`
			`cert_validity_hours=24`
			`max_cert_validity_hours=720`
			`rate_limit_certs_per_minute=100`
			`require_key_verification=false`

			`[production]`
			`# Override settings for production environment`
			`private_key_encryption=kms`
			`log_level=WARNING`
			`cert_validity_hours=1`
			`max_cert_validity_hours=24`
			`rate_limit_certs_per_minute=5`
			`require_key_verification=true`

			`[testing]`
			`# Override settings for testing environment`
			`private_key_encryption=local`
			`log_level=DEBUG`
			`cert_validity_hours=1`
			`max_cert_validity_hours=24`
			`rate_limit_certs_per_minute=100`
			`require_key_verification=true`
			`audit_enabled=false`