[default] # Certificate validity period (in hours) # Default: 1 hour cert_validity_hours=1 # Maximum certificate validity allowed (in hours) # Default: 24 hours # Prevents users from requesting certificates valid longer than this max_cert_validity_hours=24 # Certificate Request Limits # Maximum number of certificates per user max_certs_per_user=100 # Certificate revocation list (CRL) configuration crl_enabled=true # CRL endpoint URL - set to your domain where CRL is served crl_endpoint=https://ca.example.com/crl # CRL refresh interval (in hours) crl_refresh_hours=24 # CA Key Configuration # Default key type for new CAs (ed25519, rsa, ecdsa) default_key_type=ed25519 # RSA key size (if using RSA) rsa_key_bits=4096 # Private key encryption # Method: kms (AWS Key Management Service) or local (for development only) private_key_encryption=kms # AWS KMS Key ID (only used if private_key_encryption=kms) aws_kms_key_id=${SSH_CA_KMS_KEY_ID} # SSH Certificate Extensions # Default extensions to add to certificates extensions_enabled=true extensions=permit-X11-forwarding,permit-agent-forwarding,permit-pty,permit-port-forwarding,permit-user-rc # Critical Options # Critical options to add to certificates (rarely needed) critical_options_enabled=false # Certificate Field Limits # Maximum number of principals per certificate (SSH limitation is 256) max_principals_per_cert=256 # Maximum length for key_id field max_key_id_length=255 # Logging Configuration # Log level for SSH CA operations (DEBUG, INFO, WARNING, ERROR) log_level=INFO # Audit Configuration # Log all certificate signing operations audit_enabled=true # Security Configuration # Require SSH key verification before issuing certificates require_key_verification=true # Verification challenge max age (in hours) verification_challenge_max_age=24 # Rate limiting for certificate signing # Max certificates per minute per user rate_limit_certs_per_minute=5 # Request timeout (in seconds) request_timeout=30 # Cleanup Configuration # Automatically delete unverified SSH keys after this many days auto_delete_unverified_days=30 # Archive expired certificates after this many days archive_expired_days=365 # CLI OAuth Configuration (for secuird-cli.py compatibility) # OAuth token endpoint for CLI clients oauth_token_endpoint=/api/v1/oauth2/token # OAuth userinfo endpoint for CLI clients oauth_userinfo_endpoint=/api/v1/oauth2/userinfo [development] # Override settings for development environment private_key_encryption=local ca_key_path=/home/james/cory/secuird/certs/ca-users log_level=DEBUG cert_validity_hours=24 max_cert_validity_hours=720 rate_limit_certs_per_minute=100 require_key_verification=false [production] # Override settings for production environment private_key_encryption=kms log_level=WARNING cert_validity_hours=1 max_cert_validity_hours=24 rate_limit_certs_per_minute=5 require_key_verification=true [testing] # Override settings for testing environment private_key_encryption=local log_level=DEBUG cert_validity_hours=1 max_cert_validity_hours=24 rate_limit_certs_per_minute=100 require_key_verification=true audit_enabled=false