From 58e033e16e39c272d55dbd44fbc47c7ff52eed2b Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sat, 3 Jan 2026 17:39:26 -0600
Subject: [PATCH] started readme

---
 README.md | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..738402c
--- /dev/null
+++ b/README.md
@@ -0,0 +1,44 @@
+# Janus
+
+Janus is the god of doorways and passages.
+
+## Setup
+
+### Step-CA [Getting Started]
+
+[Getting Started]: https://smallstep.com/docs/step-ca/getting-started/
+
+```
+step ca init --ssh --acme
+```
+
+### [Running `step-ca` as a Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production/#running-step-ca-as-a-daemon)
+
+### [Renewal using `systemd` timers](https://smallstep.com/docs/step-ca/renewal/#renewal-using-systemd-timers)
+
+## SSH Certificates
+
+Use step-ca to sign an existing public key to produce a signed certificate with some principals on it.
+
+```
+step ssh certificate --host --sign \
+--principal janus --principal janus.john-stream.com \
+--provisioner admin \
+janus /etc/ssh/ssh_host_ed25519_key.pub
+```
+
+Get the (public) cert for the CA that signs the user SSH certs from step-ca.
+
+```
+step ssh config --roots > /etc/ssh/ssh_user_ca.pub
+```
+
+Configure sshd to point to the key/cert combo.
+
+```
+cat << EOF > /etc/ssh/sshd_config.d/certs.conf
+TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+EOF
+```
\ No newline at end of file