started readme

2026-01-03 17:39:26 -06:00
parent b333ae716e
commit 58e033e16e
1 changed files with 44 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,44 @@
+# Janus
+
+Janus is the god of doorways and passages.
+
+## Setup
+
+### Step-CA [Getting Started]
+
+[Getting Started]: https://smallstep.com/docs/step-ca/getting-started/
+
+```
+step ca init --ssh --acme
+```
+
+### [Running `step-ca` as a Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production/#running-step-ca-as-a-daemon)
+
+### [Renewal using `systemd` timers](https://smallstep.com/docs/step-ca/renewal/#renewal-using-systemd-timers)
+
+## SSH Certificates
+
+Use step-ca to sign an existing public key to produce a signed certificate with some principals on it.
+
+```
+step ssh certificate --host --sign \
+--principal janus --principal janus.john-stream.com \
+--provisioner admin \
+janus /etc/ssh/ssh_host_ed25519_key.pub
+```
+
+Get the (public) cert for the CA that signs the user SSH certs from step-ca.
+
+```
+step ssh config --roots > /etc/ssh/ssh_user_ca.pub
+```
+
+Configure sshd to point to the key/cert combo.
+
+```
+cat << EOF > /etc/ssh/sshd_config.d/certs.conf
+TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+EOF
+```