import { MoreHorizontal, RefreshCw, Server, ServerCog, Settings, ShieldOff, Terminal, User, } from "lucide-react"; import { Button } from "@/components/ui/button"; import { Badge } from "@/components/ui/badge"; import { Card, CardContent, CardDescription, CardHeader, CardTitle, } from "@/components/ui/card"; import { DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuSeparator, DropdownMenuTrigger, } from "@/components/ui/dropdown-menu"; import { Accordion, AccordionContent, AccordionItem, AccordionTrigger, } from "@/components/ui/accordion"; import { Textarea } from "@/components/ui/textarea"; import { OrgCA } from "@/lib/api"; import { formatDate } from "./utils"; import { CopyButton } from "./CopyButton"; interface CADetailCardProps { ca: OrgCA; onEdit: (ca: OrgCA) => void; onRotate: (ca: OrgCA) => void; onDelete: (ca: OrgCA) => void; } export function CADetailCard({ ca, onEdit, onRotate, onDelete }: CADetailCardProps) { const isUser = ca.ca_type === "user"; const isSystem = !!ca.is_system; // ── User CA: server trusts this public key so it accepts user certs ────── const userCaServerSnippet = `# On each SSH server — trust Secuird-issued user certificates: echo '${ca.public_key.trim()}' >> /etc/ssh/trusted_user_ca # /etc/ssh/sshd_config (add once, then reload sshd): TrustedUserCAKeys /etc/ssh/trusted_user_ca AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u # Create /etc/ssh/auth_principals/ containing one principal per line.`; // ── Host CA: clients trust this public key so they can verify server certs ─ const hostCaClientSnippet = `# On SSH clients — trust host certificates signed by this CA: # Add to ~/.ssh/known_hosts (or /etc/ssh/ssh_known_hosts for system-wide): @cert-authority * ${ca.public_key.trim()} # ─── Server side (separate step) ──────────────────────────────────────────── # 1. Collect the server's HOST public key: # cat /etc/ssh/ssh_host_ed25519_key.pub # 2. Submit it to Secuird → "Issue Host Certificate" to get a signed cert. # 3. Install the cert on the server: # /etc/ssh/sshd_config: # HostKey /etc/ssh/ssh_host_ed25519_key # HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub # 4. Verify the cert (NOT this CA key): # ssh-keygen -L -f /etc/ssh/ssh_host_ed25519_key-cert.pub # ↳ Type must be: ssh-ed25519-cert-v01@openssh.com host certificate`; const sshConfig = isUser ? userCaServerSnippet : hostCaClientSnippet; return (
{isSystem ? ( ) : isUser ? ( ) : ( )} {ca.name} {isSystem ? ( System ) : ca.is_active ? ( Active ) : ( Inactive )} {ca.description && ( {ca.description} )}
{/* Right side: key-type badge + actions menu */}
{ca.key_type} {/* ⋯ actions — only for non-system CAs */} {!isSystem && ( onEdit(ca)}> Edit configuration onRotate(ca)}> Rotate key onDelete(ca)} className="text-destructive focus:text-destructive" > Delete CA )}
{/* Stats row — hidden for system CAs */} {!isSystem && (

{ca.active_certs}

Active certs

{ca.total_certs}

Total issued

{ca.default_cert_validity_hours}h

Default validity

{ca.next_serial_number ?? "—"}

Next serial

)} {/* Fingerprint — with copy button */}

Fingerprint

{ca.fingerprint}
{/* Public key */}

{isUser ? "User CA public key" : "Host CA public key"}

{isUser ? "Distribute to SSH servers → TrustedUserCAKeys" : "Distribute to SSH clients → known_hosts @cert-authority (NOT HostCertificate)"}