Feat: Added CA-merged with Securid-Principals, Depart, Client-CLI

2026-02-27 21:59:01 +05:45
parent 92fd57447d
commit b2212ab4d6
29 changed files with 3718 additions and 53 deletions
@@ -0,0 +1,114 @@
+
+[default]
+# Certificate validity period (in hours)
+# Default: 1 hour
+cert_validity_hours=1
+
+# Maximum certificate validity allowed (in hours)
+# Default: 24 hours
+# Prevents users from requesting certificates valid longer than this
+max_cert_validity_hours=24
+
+# Certificate Request Limits
+# Maximum number of certificates per user
+max_certs_per_user=100
+
+# Certificate revocation list (CRL) configuration
+crl_enabled=true
+# CRL endpoint URL - set to your domain where CRL is served
+crl_endpoint=https://ca.example.com/crl
+# CRL refresh interval (in hours)
+crl_refresh_hours=24
+
+# CA Key Configuration
+# Default key type for new CAs (ed25519, rsa, ecdsa)
+default_key_type=ed25519
+
+# RSA key size (if using RSA)
+rsa_key_bits=4096
+
+# Private key encryption
+# Method: kms (AWS Key Management Service) or local (for development only)
+private_key_encryption=kms
+# AWS KMS Key ID (only used if private_key_encryption=kms)
+aws_kms_key_id=${SSH_CA_KMS_KEY_ID}
+
+# SSH Certificate Extensions
+# Default extensions to add to certificates
+extensions_enabled=true
+extensions=permit-X11-forwarding,permit-agent-forwarding,permit-pty,permit-port-forwarding,permit-user-rc
+
+# Critical Options
+# Critical options to add to certificates (rarely needed)
+critical_options_enabled=false
+
+# Certificate Field Limits
+# Maximum number of principals per certificate (SSH limitation is 256)
+max_principals_per_cert=256
+
+# Maximum length for key_id field
+max_key_id_length=255
+
+# Logging Configuration
+# Log level for SSH CA operations (DEBUG, INFO, WARNING, ERROR)
+log_level=INFO
+
+# Audit Configuration
+# Log all certificate signing operations
+audit_enabled=true
+
+# Security Configuration
+# Require SSH key verification before issuing certificates
+require_key_verification=true
+
+# Verification challenge max age (in hours)
+verification_challenge_max_age=24
+
+# Rate limiting for certificate signing
+# Max certificates per minute per user
+rate_limit_certs_per_minute=5
+
+# Request timeout (in seconds)
+request_timeout=30
+
+# Cleanup Configuration
+# Automatically delete unverified SSH keys after this many days
+auto_delete_unverified_days=30
+
+# Archive expired certificates after this many days
+archive_expired_days=365
+
+# CLI OAuth Configuration (for secuird-cli.py compatibility)
+# OAuth token endpoint for CLI clients
+oauth_token_endpoint=/api/v1/oauth2/token
+# OAuth userinfo endpoint for CLI clients
+oauth_userinfo_endpoint=/api/v1/oauth2/userinfo
+
+[development]
+# Override settings for development environment
+private_key_encryption=local
+ca_key_path=/home/james/cory/secuird/certs/ca-users
+log_level=DEBUG
+cert_validity_hours=24
+max_cert_validity_hours=720
+rate_limit_certs_per_minute=100
+require_key_verification=false
+
+[production]
+# Override settings for production environment
+private_key_encryption=kms
+log_level=WARNING
+cert_validity_hours=1
+max_cert_validity_hours=24
+rate_limit_certs_per_minute=5
+require_key_verification=true
+
+[testing]
+# Override settings for testing environment
+private_key_encryption=local
+log_level=DEBUG
+cert_validity_hours=1
+max_cert_validity_hours=24
+rate_limit_certs_per_minute=100
+require_key_verification=true
+audit_enabled=false